Fix is_authenticated mechanism

2024-09-03 20:06:31 +02:00 · 2019-08-21 16:12:03 +02:00 · 2019-08-21 16:12:03 +02:00 · 0a13e5b000
commit 0a13e5b000
parent d7a33e5a14
2 changed files with 18 additions and 24 deletions
--- a/moulinette/authenticators/init.py
+++ b/moulinette/authenticators/init.py
@ -32,6 +32,7 @@ class BaseAuthenticator(object):

    def __init__(self, name):
        self._name = name
+        self.is_authenticated = False

    @property
    def name(self):
@ -44,12 +45,6 @@ class BaseAuthenticator(object):
    """The vendor name of the authenticator"""
    vendor = None

-    @property
-    def is_authenticated(self):
-        """Either the instance is authenticated or not"""
-        raise NotImplementedError("derived class '%s' must override this property" %
-                                  self.__class__.__name__)
-
    # Virtual methods
    # Each authenticator classes must implement these methods.

@ -103,6 +98,8 @@ class BaseAuthenticator(object):
                                 self.name, self.vendor, e)
                raise MoulinetteError('unable_authenticate')

+            self.is_authenticated = True
+
            # Store session for later using the provided (new) token if any
            if token:
                try:
@ -123,12 +120,14 @@ class BaseAuthenticator(object):
                s_id, s_token = token
                # Attempt to authenticate
                self._authenticate_session(s_id, s_token)
-            except MoulinetteError:
+            except MoulinetteError as e:
                raise
            except Exception as e:
                logger.exception("authentication (name: '%s', vendor: '%s') fails because '%s'",
                                 self.name, self.vendor, e)
                raise MoulinetteError('unable_authenticate')
+            else:
+                self.is_authenticated = True

        #
        # No credentials given, can't authenticate
--- a/moulinette/authenticators/ldap.py
+++ b/moulinette/authenticators/ldap.py
@ -57,21 +57,6 @@ class Authenticator(BaseAuthenticator):

    vendor = 'ldap'

-    @property
-    def is_authenticated(self):
-        if self.con is None:
-            return False
-        try:
-            # Retrieve identity
-            who = self.con.whoami_s()
-        except Exception as e:
-            logger.warning("Error during ldap authentication process: %s", e)
-            return False
-        else:
-            if who[3:] == self.userdn:
-                return True
-        return False
-
    # Implement virtual methods

    def authenticate(self, password):
@ -89,9 +74,19 @@ class Authenticator(BaseAuthenticator):
        except ldap.SERVER_DOWN:
            logger.exception('unable to reach the server to authenticate')
            raise MoulinetteError('ldap_server_down')
+
+        # Check that we are indeed logged in with the right identity
+        try:
+            who = con.whoami_s()
+        except Exception as e:
+            logger.warning("Error during ldap authentication process: %s", e)
+            raise
        else:
-            self.con = con
-            self._ensure_password_uses_strong_hash(password)
+            if who[3:] != self.userdn:
+                raise MoulinetteError("Not logged in with the expected userdn ?!")
+            else:
+                self.con = con
+                self._ensure_password_uses_strong_hash(password)

    def _ensure_password_uses_strong_hash(self, password):
        # XXX this has been copy pasted from YunoHost, should we put that into moulinette?