endian.authentication package

Subpackages

• endian.authentication.handlers package
  • Submodules
  • endian.authentication.handlers.acct module
  • endian.authentication.handlers.ca module
  • Module contents
• endian.authentication.providers package
  • Submodules
  • endian.authentication.providers.allow module
  • endian.authentication.providers.apache module
  • endian.authentication.providers.commons module
  • endian.authentication.providers.deny module
  • endian.authentication.providers.local module
  • endian.authentication.providers.pldap module
  • endian.authentication.providers.proxy module
  • endian.authentication.providers.radius module
  • endian.authentication.providers.system module
  • Module contents
• endian.authentication.scopes package
  • Submodules
  • endian.authentication.scopes.xauth module
  • Module contents
• endian.authentication.utils package
  • Submodules
  • endian.authentication.utils.encrypt_local_password module
  • endian.authentication.utils.htpasswd module
  • endian.authentication.utils.md5crypt module
  • endian.authentication.utils.pldap module
  • endian.authentication.utils.rsa module
  • endian.authentication.utils.shadow module

Submodules

endian.authentication.auth_client module

blublu

Module author: Andrea Bonomi <a.bonomi@endian.com>

authenticate(username, password, scope, method='GET', host='localhost', port=3132, caller_id=None)

Try to Authenticate an user, identified by an username, password and a scope. Raise ‘ClientAuthException’ if the user authentication failed.

Returns:Return a dictionary of user attributes in case of success. Return type:dict

get_user(username, scope, retrieve_attributes='*', method='GET', host='localhost', port=3132, caller_id=None, **argv)

Get an user, identified by an username and a scope. Raise ‘ClientAuthException’ if the user authentication failed.

Parameters:

• scope (string) – scope
• retrieve_attributes (list of strings) – list of user attributes to be returned

Returns:

Return a dictionary of user attributes in case of success.

Return type:

dict

list_users(scope, retrieve_attributes=['name'], method='GET', host='localhost', port=3132, caller_id=None, **argv)

Get the list of all the users of a scope. For each user, is extracted a subset of the attributes, specified by the retrieve_attributes parameter This method depends on the ability of the providers to retrieve the user list (not all the kinds of providers are able to do this). The additional arguments (argv) are used to filter the users list.

Parameters:

• scope (string) – scope
• retrieve_attributes (list of strings) – list of user attributes to be returned

Returns:

a list of users with the selected attributes

Return type:

list of dict

create_user(username, scope, password=None, method='GET', host='localhost', port=3132, caller_id=None)

Update an user attribute

Parameters:

• username (string) – username
• scope (string) – scope
• password (string) – username

Returns:

Return a dictionary of user attributes in case of success.

Return type:

dict

delete_user(username, scope, method='GET', host='localhost', port=3132, caller_id=None)

Update an user attribute

Parameters:

• username (string) – username
• scope (string) – scope

Returns:

Return a dictionary of user attributes in case of success.

Return type:

dict

update_user_value(username, scope, attribute, value, method='GET', host='localhost', port=3132, caller_id=None)

Update an user attribute

Parameters:

• username (string) – username
• scope (string) – scope
• attribute (string) – the attribute to be updated
• value (value) – the attribute value

Returns:

Return a dictionary of user attributes in case of success.

Return type:

dict

sync_users(scope, method='GET', host='localhost', port=3132, caller_id=None)

sync users from remote source to make service options overwriteable

Parameters:scope (string) – scope Returns:Return a dict containing a list of available users, removed users and created users Return type:dict

get_group(groupname, scope, retrieve_attributes='*', method='GET', host='localhost', port=3132, caller_id=None, **argv)

Get an group, identified by an groupname and a scope. Raise ‘ClientAuthException’ if the user authentication failed.

Parameters:

• scope (string) – scope
• retrieve_attributes (list of strings) – list of user attributes to be returned

Returns:

Return a dictionary of user attributes in case of success.

Return type:

dict

list_groups(scope, retrieve_attributes=['name'], method='GET', host='localhost', port=3132, caller_id=None, **argv)

Get the list of all the groups of a scope. For each group, is extracted a subset of the attributes, specified by the retrieve_attributes parameter This method depends on the ability of the providers to retrieve the group list (not all the kinds of providers are able to do this). The additional arguments (argv) are used to filter the groups list.

Parameters:

• scope (string) – scope
• retrieve_attributes (list of strings) – list of group attributes to be returned

Returns:

a list of groups with the selected attributes

Return type:

list of dict

create_group(groupname, scope, method='GET', host='localhost', port=3132, caller_id=None)

Update an user attribute

Parameters:

• username (string) – groupname
• scope (string) – scope

Returns:

Return a dictionary of group attributes in case of success.

Return type:

dict

delete_group(groupname, scope, method='GET', host='localhost', port=3132, caller_id=None)

Delete a group by name

Parameters:

• groupname (string) – groupname
• scope (string) – scope

Returns:

Return a dictionary of group attributes in case of success.

Return type:

dict

update_group_value(groupname, scope, attribute, value, method='GET', host='localhost', port=3132, caller_id=None)

Update an group attribute

Parameters:

• groupname (string) – username
• scope (string) – scope
• attribute (string) – the attribute to be updated
• value (value) – the attribute value

Returns:

Return a dictionary of group attributes in case of success.

Return type:

dict

sync_groups(scope, method='GET', host='localhost', port=3132, caller_id=None)

sync groups from remote source to make service options overwriteable

Parameters:scope (string) – scope Returns:Return a dict containing a list of available groups, invalidated groups and created users Return type:dict

auth_client_cmd(cmd, args={}, method='GET', host='localhost', port=3132)

Send a generic cmd to the authentication layer. Raise ‘ClientAuthException’ if case of error.

Returns:Return the result of the command execution. Return type:a dict or a list

get_scopes(method='GET', host='localhost', port=3132, caller_id=None)

Return the authentication scopes list

Returns:Return a list of scopes. Return type:list of dict

get_scope_names(method='GET', host='localhost', port=3132, caller_id=None)

Return the list of all the defined authentication scopes

get_scope_title(name, method='GET', host='localhost', port=3132, caller_id=None)

Return the list of all the defined authentication scopes

Parameters:name (string) – scope title by name, fallback to name if not present Return type:string

get_providers(method='GET', host='localhost', port=3132, caller_id=None)

Return the authentication providers list

Returns:Return a list of providers. Return type:list of dict

get_provider_types(method='GET', host='localhost', port=3132, caller_id=None)

Return the list of all the providers types

get_provider_type(id, method='GET', host='localhost', port=3132, caller_id=None)

Return the provider type by id

Parameters:id (string) – provider id Return type:dict

reload_scopes_and_providers(method='GET', host='localhost', port=3132, caller_id=None)

Reload the scopes and providers configuration

create_certificate(cert_name, cert_email='', cert_ou='', cert_organization='', cert_city='', cert_state='', cert_country='', cert_subjectaltname='', cert_password='', cert_days='', cert_filename='', cert_type='', cert_comment='', cert_start_date='', method='GET', host='localhost', port=3132, caller_id=None)

Create a new certificate

Parameters:

• cert_name (string) – CN = CommonName
• cert_email – Email address
• cert_organization (string) – OU = Organization Unit typically certificate type
• cert_city (string) – L = Locality; generally - city
• cert_state (string) – ST = state or province
• cert_country (string) – C = ISO3166 two character country code
• cert_subjectaltname (string) –
• cert_password (string) – certificate password
• cert_days (string or int) – default certificate validity in days
• cert_filename (string) – certificate file name (equals to cert_name if empty)
• cert_type (string) – optional certificate type (check CERT_TYPE_OPTIONS for valid options)
• cert_comment (string) – optional comment
• cert_start_date (string in YYMMDDHHMMSSZ format) – optional certificate validity notBefore

create_certificate_authority(cert_name, cert_email='', cert_ou='', cert_organization='', cert_city='', cert_state='', cert_country='', cert_subjectaltname='', cert_days='', cert_filename='', method='GET', host='localhost', port=3132, caller_id=None)

Create a new certificate

Parameters:

• cert_name (string) – CN = CommonName
• cert_email – Email address
• cert_organization (string) – OU = Organization Unit typically certificate type
• cert_city (string) – L = Locality; generally - city
• cert_state (string) – ST = state or province
• cert_country (string) – C = ISO3166 two character country code
• cert_subjectaltname (string) –
• cert_days (string or int) – default certificate validity in days
• cert_filename (string) – certificate file name (equals to cert_name if empty)

revoke_certificate(cert_name, method='GET', host='localhost', port=3132, caller_id=None)

Revoke a certificate

Parameters:cert_name (string) – Certificate name

verify_certificate(cert_name, method='GET', host='localhost', port=3132, caller_id=None)

Verify a certificate

Parameters:cert_name (string) – Certificate name

sign_certificate_request(cert_name, cert_subjectaltname='', cert_password='', cert_days='', cert_filename='', cert_type='', cert_start_date='', revoke_old_certificate=False, method='GET', host='localhost', port=3132, caller_id=None)

Sign a certificate request

Parameters:

• cert_name (string) – CN = CommonName
• cert_subjectaltname (string) –
• cert_password (string) – certificate password
• cert_days (string or int) – default certificate validity in days
• cert_filename (string) – certificate file name (equals to cert_name if empty)
• cert_type (string) – optional certificate type (check CERT_TYPE_OPTIONS for valid options)
• cert_start_date (string in YYMMDDHHMMSSZ format) – optional certificate validity notBefore
• revoke_old_certificate (boolean) – revoke the old certificate if exist

create_hash_symlink(cert_name, method='GET', host='localhost', port=3132, caller_id=None)

Create the certificate hash symlink used by openssl

Parameters:cert_name (string) – Certificate name

create_ca_hash_symlink(cert_name, method='GET', host='localhost', port=3132, caller_id=None)

Create the CA certificate hash symlink used by openssl

Parameters:cert_name (string) – CA Certificate name

open_session(username, scope, local=None, remote=None, session_id=None, method='GET', host='localhost', port=3132, caller_id=None, **argv)

Sets up a user session for a previously successful authenticated user. The session should later be terminated with a call to close_session.

Parameters:

• username (string) – username
• scope (string) – a scope name
• local (string) – optional local IP address
• remote (string) – optional remote IP addryess
• session_id (string) – optional session id (default = username)

close_session(username, scope, session_id=None, method='GET', host='localhost', port=3132, caller_id=None, **argv)

This function is used to indicate that an authenticated session has ended. The session should have been created with a call to open_session.

Parameters:

• username (string) – username
• scope (string) – a scope name
• session_id (string) – optional session id (default = username)

list_open_sessions(username='', scope='', method='GET', host='localhost', port=3132, caller_id=None, **argv)

List the open sessions.

Parameters:

• username (string) – an optional username
• scope (string) – an optional scope scope name

create_crl_hash_symlink(crl_name, method='GET', host='localhost', port=3132, caller_id=None)

Create the CRL hash symlink used by openssl

Parameters:crl_name (string) – CA Certificate name

generate_crl(method='GET', host='localhost', port=3132, caller_id=None)

Generate/regenerate the CRL file

update_index(method='GET', host='localhost', port=3132, caller_id=None)

Checks index.txt for expired certificates and mark them

exception ClientAuthException

Bases: exceptions.Exception

endian.authentication.daemon module

main()

class EalDaemon(name)

Bases: endian.core.daemon.Daemon

do()

shutdown(*args, **kwds)

class EalHandler(request, client_address, server)

Bases: BaseHTTPServer.BaseHTTPRequestHandler

do_GET()

Respond to a GET request.

index()

Index page, return the list of the available actions

log_error(format, *args)

log_message(format, *args)

log_request(code='-', size=None)

send_error(code=500, message=None, ex=None)

Send an error reply as json

send_response(code, message=None)

Send the response header and log the response code.

endian.authentication.eal module

class EndianAuthenticationLayer

Bases: object

ACTIONS = ['', 'authenticate', 'get_user', 'list_users', 'create_user', 'delete_user', 'update_user_value', 'sync_users', 'get_group', 'list_groups', 'create_group', 'delete_group', 'update_group_value', 'sync_groups', 'get_scope_names', 'get_scope_title', 'get_scopes', 'get_providers', 'get_provider_types', 'get_provider_type', 'reload_scopes_and_providers']

authenticate(username, password, scope, **argv)

Try to Authenticate an user, identified by an username, password and (optional) additional arguments on a scope. Raise ‘AuthException’ if the user authentication failed. Return a dictionary of user attributes in case of success.

Parameters:

• username (string) – username
• password (string) – password
• scope (string) – a scope name or a string starting with the prefix ‘provider:’ followed by the name of a provider

create_group(groupname, scope)

Create a new group Raise ‘AuthException’ if it is impossibile to create the group.

Parameters:

• scope (string) – a scope name or a string starting with the prefix ‘provider:’ followed by the name of a provider
• username (string) – groupname

create_user(username, scope, password=None)

Create a new user Raise ‘AuthException’ if it is impossibile to create the user.

Parameters:

• scope (string) – a scope name or a string starting with the prefix ‘provider:’ followed by the name of a provider
• username (string) – username
• password (string) – password

delete_group(groupname, scope)

Delete an group Raise ‘AuthException’ if it is impossibile to delete the group.

Parameters:

• scope (string) – a scope name or a string starting with the prefix ‘provider:’ followed by the name of a provider
• username (string) – groupname

delete_user(username, scope)

Delete an user Raise ‘AuthException’ if it is impossibile to delete the user.

Parameters:

• scope (string) – a scope name or a string starting with the prefix ‘provider:’ followed by the name of a provider
• username (string) – username

get_default_providers(id)

get_group(groupname, scope, retrieve_attributes='*', **argv)

Get a group, identified by a groupname and a scope. Raise ‘GroupNotFoundError’ if the group does not exist. Return a dictionary of group attributes in case of success.

Parameters:

• groupname (string) – username
• scope (string) – a scope name or a string starting with the prefix ‘provider:’ followed by the name of a provider

Returns:

results – the groups found

Return type:

int

Raises:

GroupNotFoundError

get_provider(name)

Return a provider by its name

get_provider_class(id)

get_provider_type(id)

Return the a providers type based on the id

get_provider_types()

Return the list of all the providers types

get_providers()

Return the authentication providers list

get_providers_by_scope(scope, default=[])

Return a list of providers for a scope

Parameters:scope (string) – a scope name or a string starting with the prefix ‘provider:’ followed by the name of a provider

get_scope_module(name)

Return the scope module by name

get_scope_names()

Return the list of all the defined authentication scopes

get_scope_title(name)

Return the name of a scope by name

get_scopes()

Return the authentication scopes list

get_user(username, scope, retrieve_attributes='*', **argv)

Get an user, identified by an username and a scope. Raise ‘UserNotFoundError’ if the user does not exist. Return a dictionary of user attributes in case of success.

Parameters:

• username (string) – username
• scope (string) – a scope name or a string starting with the prefix ‘provider:’ followed by the name of a provider

list_groups(scope, retrieve_attributes=['name'], **argv)

Get the list of all the groups of a scope. For each group, is extracted a subset of the attributes, specified by the retrieve_attributes parameter This method depends on the ability of the providers to retrieve the group list (not all the kinds of providers are able to do this). The additional arguments are used to filter the groups list.

Parameters:

• scope (string) – a scope group or a string starting with the prefix ‘provider:’ followed by the name of a provider
• retrieve_attributes (list of string) – list of group attributes to be returned

Returns:

a list of groups with the selected attributes

Return type:

list of dict

list_users(scope, retrieve_attributes=['name'], **argv)

Get the list of all the users of a scope. For each user, is extracted a subset of the attributes, specified by the retrieve_attributes parameter This method depends on the ability of the providers to retrieve the user list (not all the kinds of providers are able to do this). The additional arguments are used to filter the users list.

Parameters:

• scope (string) – a scope name or a string starting with the prefix ‘provider:’ followed by the name of a provider
• retrieve_attributes (list of string) – list of user attributes to be returned

Returns:

a list of users with the selected attributes

Return type:

list of dict

load_providers()

register_provider_type(provider_class)

Register a new type of provider (e.g. file, local db, radius)

register_scope_name(id, title=None, default_providers=None, module=None)

Register a scope and create the default scope configuration and providers if missing

register_sub_handler(name, hander_class)

reload_scopes_and_providers()

Reload the scopes and providers configuration

sync_groups(scope)

Sync groups from remote source e.g. LDAP Raise ‘AuthException’ if it is impossibile to sync the groups.

Parameters:scope (string) – a scope name or a string starting with the prefix ‘provider:’ followed by the name of a provider

sync_users(scope)

Sync users from remote source e.g. LDAP Raise ‘AuthException’ if it is impossibile to sync the users.

Parameters:scope (string) – a scope name or a string starting with the prefix ‘provider:’ followed by the name of a provider

update_group_value(groupname, scope, attribute, value)

Update an group attribute

Parameters:

• groupname (string) – groupname
• scope (string) – scope
• attribute (string) – the attribute to be updated
• value (value) – the attribute value

Returns:

Return a dictionary of group attributes in case of success.

Return type:

dict

update_user_value(username, scope, attribute, value)

Update an user attribute

Parameters:

• username (string) – username
• scope (string) – scope
• attribute (string) – the attribute to be updated
• value (value) – the attribute value

Returns:

Return a dictionary of user attributes in case of success.

Return type:

dict