[Checkins] SVN: cipher.googlepam/trunk/ Support multiple Google groups.

Marius Gedminas cvs-admin at zope.org
Tue Oct 9 08:37:07 UTC 2012 

Log message for revision 127946:
  Support multiple Google groups.
  
  The authenticating user has to be a member of any one of the specified
  groups for access to be allowed.

Changed:
  U   cipher.googlepam/trunk/CHANGES.txt
  U   cipher.googlepam/trunk/src/cipher/googlepam/googlepam.conf
  U   cipher.googlepam/trunk/src/cipher/googlepam/pam_google.py
  U   cipher.googlepam/trunk/src/cipher/googlepam/tests/test_doc.py

-=-
Modified: cipher.googlepam/trunk/CHANGES.txt
===================================================================
--- cipher.googlepam/trunk/CHANGES.txt	2012-10-08 18:03:00 UTC (rev 127945)
+++ cipher.googlepam/trunk/CHANGES.txt	2012-10-09 08:37:03 UTC (rev 127946)
@@ -1,10 +1,11 @@
 CHANGES
 =======
 
-1.4.1 (unreleased)
+1.5.0 (unreleased)
 ------------------
 
-- Nothing changed yet.
+- Support multiple Google groups.  The authenticating user has to be a member
+  of any one of them for access to be allowed.
 
 
 1.4.0 (2012-10-08)

Modified: cipher.googlepam/trunk/src/cipher/googlepam/googlepam.conf
===================================================================
--- cipher.googlepam/trunk/src/cipher/googlepam/googlepam.conf	2012-10-08 18:03:00 UTC (rev 127945)
+++ cipher.googlepam/trunk/src/cipher/googlepam/googlepam.conf	2012-10-09 08:37:03 UTC (rev 127946)
@@ -2,7 +2,7 @@
 ##domain=example.com
 ##admin-username=admin
 ##admin-password=good-pwd
-##group=group1
+##group=group1, group2
 excludes = root
 prompt = Google Password:
 #cache = file

Modified: cipher.googlepam/trunk/src/cipher/googlepam/pam_google.py
===================================================================
--- cipher.googlepam/trunk/src/cipher/googlepam/pam_google.py	2012-10-08 18:03:00 UTC (rev 127945)
+++ cipher.googlepam/trunk/src/cipher/googlepam/pam_google.py	2012-10-09 08:37:03 UTC (rev 127946)
@@ -229,8 +229,9 @@
         # Note: We could do that check before asking for the password, but
         # then we would give away the fact that the username is incorrect.
         if self.config.has_option(SECTION_NAME, 'group'):
-            group = self.config.get(SECTION_NAME, 'group')
-            LOG.debug('Group found: %s', group)
+            groups = [g.strip() for g in
+                      self.config.get(SECTION_NAME, 'group').split(',')]
+            LOG.debug('Groups found: %s', ', '.join(groups))
             service = self.GroupsService(
                 domain=self.config.get(SECTION_NAME, 'domain'),
                 email=self._get_email(
@@ -239,16 +240,21 @@
                 )
             service.ProgrammaticLogin()
             try:
-                if not service.IsMember(self.pamh.user, group):
+                for group in groups:
+                    if service.IsMember(self.pamh.user, group):
+                        LOG.debug('User "%s" is a member of group "%s".',
+                                  self.pamh.user, group)
+                        break
+                else:
                     LOG.info(
-                        'User "%s" is not a member of group "%s".',
-                        self.pamh.user, group)
+                        'User "%s" is not a member of %s %s.',
+                        self.pamh.user,
+                        "group" if len(groups) == 1 else "any of groups",
+                        ', '.join('"%s"' % group for group in groups))
                     return self.pamh.PAM_AUTH_ERR
             except AppsForYourDomainException, err:
                 LOG.exception('Admin user has insufficient priviledges.')
                 return self.pamh.PAM_AUTH_ERR
-            LOG.debug(
-                'User "%s" is a member of group "%s".', self.pamh.user, group)
 
         service = self.AppsService(
             domain=self.config.get(SECTION_NAME, 'domain'),

Modified: cipher.googlepam/trunk/src/cipher/googlepam/tests/test_doc.py
===================================================================
--- cipher.googlepam/trunk/src/cipher/googlepam/tests/test_doc.py	2012-10-08 18:03:00 UTC (rev 127945)
+++ cipher.googlepam/trunk/src/cipher/googlepam/tests/test_doc.py	2012-10-09 08:37:03 UTC (rev 127946)
@@ -93,6 +93,8 @@
             return True
         if username in ('user1', 'user2') and group == 'group2':
             return True
+        if username == 'user4' and group == 'group3':
+            return True
         return False
 
 
@@ -185,7 +187,7 @@
 
     This test goes through all scenarios top to bottom.
 
-    User is in exlcudes list:
+    User is in excludes list:
 
       >>> pam.pamh = FakePamHandle('root', 'pwd')
       >>> pam.authenticate()
@@ -269,6 +271,34 @@
 
     """
 
+def doctest_GooglePAM_authenticate_multiple_groups():
+    """class GooglePAM: authenticate()
+
+      >>> pam = pam_google.GooglePAM(
+      ...     FakePamHandle(), 0,
+      ...     ['script', '-c', os.path.join(HERE, 'multi-group.conf')])
+
+    User is in the wrong group:
+
+      >>> pam.pamh = FakePamHandle('user4', 'good-pwd')
+      >>> pam.authenticate()
+      INFO - User "user4" is not a member of any of groups "group1", "group2".
+      9
+
+    Successful authentication:
+
+      >>> pam.pamh = FakePamHandle('user1', 'good-pwd')
+      >>> pam.authenticate()
+      INFO - Authentication succeeded: user1
+      0
+
+      >>> pam.pamh = FakePamHandle('user2', 'good-pwd')
+      >>> pam.authenticate()
+      INFO - Authentication succeeded: user2
+      0
+
+    """
+
 def doctest_FileCache():
     """class FileCache
 
@@ -329,7 +359,7 @@
     pam_google.GooglePAM.AppsService = FakeAppsService
     test.orig_GroupsService = pam_google.GooglePAM.GroupsService
     pam_google.GooglePAM.GroupsService = FakeGroupsService
-    conf_file = os.path.join(os.path.dirname(__file__), 'googlepam.conf')
+    conf_file = os.path.join(HERE, 'googlepam.conf')
     pam_google.parser.set_default('config_file', conf_file)
 
 def tearDown(test):

More information about the checkins mailing list