www-bocal/bocal_auth/rhosts.py

104 lines
2.3 KiB
Python
Raw Normal View History

''' Reads a .rhosts file '''
from django.conf import settings
from django.contrib.auth.models import Group
from .models import CasUser
def hasUser(user, allowed_domains=[]):
''' Check that `user` appears in the rhosts file.
If `allowed_domains` is not empty, also checks that the user belongs to one
of the specified domains. '''
def clearLine(line):
line = line.strip()
hashPos = line.find('#')
if hashPos >= 0:
line = line[:hashPos]
return line
with open(settings.RHOSTS_PATH, 'r') as handle:
for line in handle:
line = clearLine(line)
if not line:
continue
spl = line.split()
if len(spl) != 2:
continue # Not a login line
domain, login = spl
if login != user: # Not the ones we're looking for
continue
if domain[:2] != '+@': # Not a valid domain
continue
domain = domain[2:]
if allowed_domains != [] and domain not in allowed_domains:
continue
return True
return False
def default_allowed(user):
return hasUser(user, allowed_domains=['eleves'])
class NoBOcalException(Exception):
def __str__():
return "The BOcal group was not created"
def bocalGroup():
qs = Group.objects.filter(name='BOcal')
if qs.count() != 1:
raise NoBOcalException
return qs[0]
def stripCasPrivileges(user):
user.groups.remove(bocalGroup())
user.is_staff = False
user.save()
def grantBOcalPrivileges(user):
user.is_staff = True
user.groups.add(bocalGroup())
user.save()
def requireCasUser(fct):
def hasCas(user):
if user.is_anonymous:
return False
return CasUser.objects.filter(user=user).count() > 0
def wrap(user, *args, **kwargs):
if not hasCas(user):
return
return fct(user, *args, **kwargs)
return wrap
@requireCasUser
def evalRhostsPrivileges(user):
if default_allowed(user.username):
grantBOcalPrivileges(user)
else:
stripCasPrivileges(user)
@requireCasUser
def logout(user):
stripCasPrivileges()
def forceReevalRhosts(fct):
def wrap(req, *args, **kwargs):
evalRhostsPrivileges(req.user)
return fct(req, *args, **kwargs)
return wrap