rcSecurityMan.py

#!/usr/local/bin/python
#
#                               Copyright 2003
#                                     by
#                        The Board of Trustees of the
#                     Leland Stanford Junior University.
#                            All rights reserved.
#

__facility__ = "Online"
__abstract__ = "Security Manager for RunControl"
__author__   = "S. Tuvi <STuvi@SLAC.Stanford.edu>"
__date__     = ("$Date: 2005/01/10 21:18:16 $").split(' ')[1]
__version__  = "$Revision: 2.5 $"
__release__  = "$Name: R04-12-00 $"
__credits__  = "SLAC"

import LATTE.copyright_SLAC

import os
from struct       import calcsize, pack, unpack
#from binascii     import hexlify
#import md5
import sys
import logging as log
from ConfigParser import ConfigParser
import sha, random, base64

class rcSecurityMan(object):
  """Security Manager class that contains
  user authentication and rights management routines.
  """
  def __init__(self, secureDir, users):
    self.__secureDir = secureDir
    self.__users = users
    self.__passwords = os.path.join(self.__secureDir, "passwords")
    self.__security = os.path.join(self.__secureDir, "security.cfg")
    self.__fmt = "40s 256s 32s 40s h"
    self.__roles = {}
    self.__permissions = {}

  def readPermissions(self):
    """Read permissions from the security.cfg file
    and update user objects.
    """
    if os.access(self.__passwords,os.O_RDONLY):
      permParser = ConfigParser()
      permParser.read(self.__security)
      pUsers = permParser.options("users")
      for loginId in pUsers:
        user = self.__users.getUserByLoginId(loginId)
        if user is not None:
          roles = permParser.get("users", loginId).split(", ")
          for role in roles:
            user.addRole(role)
            if role not in self.__roles:
              self.__roles[role] = []
            if role == 'administrator': continue
            if not permParser.has_option("roles", role):
              log.warn("No permissions defined for role %s" % role)
            else:
              permissions = permParser.get("roles", role).split(", ")
              for permission in permissions:
                if not permParser.has_option("permissions", permission):
                  log.warn("Permission %s is not in the security database" % permission)
                else:
                  permDesc = permParser.get("permissions", permission)
                  user.addPermission(permission)
                  if permission not in self.__roles[role]:
                    self.__roles[role].append(permission)
                    if permission not in self.__permissions:
                      self.__permissions[permission] = permDesc
                    else:
                      log.warn("Permission %s has already been defined." % permission)

        # Add the roles and permissions which do not belong to any user
        for role in permParser.options("roles"):
          if role not in self.__roles:
            self.__roles[role] = []
            permissions = permParser.get("roles", role).split(", ")
            for permission in permissions:
              if permission in permParser.options("permissions"):
                self.__roles[role].append(permission)
        for permission in permParser.options("permissions"):
          if permission not in self.__permissions:
            self.__permissions[permission] = permParser.get("permissions", permission)


  def registerPermission(self, role, permission, permDesc):
    """Method available to be called by a user script that
    allows the script to register a permission given a role
    and update any user permissions who belong in that role

    \param role       Role name for the \a permission to be included.
    \param permission Permission name.
    \param permDesc   Permission description
    """
    if self.roleHasPermission(role, permission):
      log.warn("Permission %s already exists in role %s" % (permission, role))
    else:
      if permission not in self.__permissions:
        self.__permissions[permission] = permDesc
      for user in self.__users:
        if role in user.getRoles():
          if permission not in user.getPermissions():
            user.addPermission(permission)

  def checkPermission(self, user, permission):
    """Checks if the user has been granted the specified permission

    \param user       rcUser object instance
    \param permission Permission name

    \return True:  If the \a user is granted the \a permission
            False: Otherwise
    """
    return (permission in user.getPermissions())

  def roleHasPermission(self, role, permission):
    """Check if \a permission exists in \a role.

    \param role Role name
    \param permission Permission name

    \return True:  If \a role has \a permission.
            False: otherwise.
    """
    return (permission in self.__roles[role])

  def getPermissions(self, role=None):
    """Returns the list of all permissions defined.
    If \a role has been specified then returns
    all permissions defined for that role.

    \param role Role name

    \return List of sll permissions or permissions for the specified role
    """
    if role is not None:
      return self.__roles[role]
    else:
      return self.__permissions.keys()

  def getPermissionDescription(self, permission):
    """Returns the description for the specified permission.
    If permission does not exist, returns None.

    \param permission Permission name

    \return Permission description string
    """
    if permission in self.__permissions:
      return self.__permissions[permission]

  def getRoles(self):
    """Returns the list of all roles defined.

    \return List of all roles.
    """
    return self.__roles.keys()

  def authenticateUser(self, loginId, password):
    """Authenticate the user based on the given login id and password.

    \param loginId  User's login id
    \param password User's password

    \return -1: User authentication failed, invalid user id or password
            -2: Password database is not accessible
             0: Access granted
    """
    openFlag = os.O_RDONLY
    if sys.platform =='win32':
      openFlag|=os.O_BINARY
    if os.access(self.__passwords,os.O_RDONLY):
      fd = os.open(self.__passwords,openFlag)
    else:
      log.debug("Password database is not accessible.")
      return -2

    #md5sum = md5.new()
    user_name = "Nothing"
    user_home = "Nothing"
    user_login = loginId
    user_password = password
    #md5sum.update(user_password)
    #user_passhash = hexlify(md5sum.digest())
    user_passhash="Nothing"
    user_attempts = 0
    user_sizeof = calcsize(self.__fmt)
    user_data = pack(self.__fmt,user_name,user_home,user_login,user_passhash,user_attempts)
    while len(user_data) == user_sizeof:
      user_data = os.read(fd,user_sizeof)
      if len(user_data) == user_sizeof:
        (u_name,u_home,u_login,u_passhash,u_attempts) = unpack(self.__fmt,user_data)
        #print "<%s><%s><%s><%s>" % (u_login, user_login, u_passhash, user_passhash)
        if u_login.strip('\0 ') == user_login.strip() and self.__check(u_passhash, user_password):
          log.debug("Access Granted to user with the login id=%s" % loginId)
          os.close(fd)
          return 0
    log.debug("User authentication failed, loginId=%s" % loginId)
    os.close(fd)
    return -1


  def changePassword(self, loginId, password, userName, oldPassword=""):
    """Change an existing user's password.

    \param loginId     User's login id
    \param password    The new password for the user
    \param userName    User's full name
    \param oldPassword User's old password (optional).
                       If this parameter is not specified the old password
                       is not verified. This is useful when the password
                       needs to be reset due to a forgotten password.

    \return -1: Invalid login or password
            -2: Password database is not accessible
            -3: Error accessing the password database
             0: Password changed successfully
    """

    try:
      # Need to use low-level file I/O here since we are going to use lseek
      if os.access(self.__passwords,os.O_RDWR):
        fd = os.open(self.__passwords,os.O_BINARY|os.O_RDWR)
      else:
        log.debug("Password database is not accessible.")
        return -2
    except:
      log.exception("Error accessing the password database")
      return -3


    #md5sum = md5.new()
    user_name = userName
    user_home = "Nothing"
    user_login = loginId
    user_password = oldPassword
    #md5sum.update(user_password)
    #user_passhash = hexlify(md5sum.digest())
    user_passhash = "Nothing"
    user_attempts = 0
    user_sizeof = calcsize(self.__fmt)
    user_data = pack(self.__fmt,user_name,user_home,user_login,user_passhash,user_attempts)
    while len(user_data) == user_sizeof:
      user_data = os.read(fd, user_sizeof)
      if len(user_data) == user_sizeof:
        (u_name,u_home,u_login,u_passhash,u_attempts) = unpack(self.__fmt,user_data)
        if u_login.strip('\0 ') == user_login.strip() and (oldPassword == "" or self.__check(u_passhash, user_password)):
          new_password = password
          #newmd5sum = md5.new(new_password)
          #new_passhash = hexlify(newmd5sum.digest())
          new_passhash = self.__create(new_password)
          user_info = pack(self.__fmt,user_name,u_home,u_login,new_passhash,u_attempts)
          os.lseek(fd,-user_sizeof,1)
          os.write(fd,user_info)
          os.close(fd)
          log.debug("Password for user %s changed" % loginId)
          return 0
    os.close(fd)
    log.debug("Invalid login or password trying to change the password for user %s" % loginId)
    return -1

  def addPassword(self, loginId, password, userName):
    """Add a new user to the password database

    \param loginId  User's login id
    \param password The new password for the user
    \param userName User's full name

    \return -3: Error accessing the password database
            -2: User already exists in password database
            -1: Invalid login or password
             0: Added user to the password database
    """
    try:
      if os.access(self.__passwords,os.O_RDWR):
        fd = os.open(self.__passwords,os.O_BINARY|os.O_RDWR)
        newfile = 0
      else:
        fd = os.open(self.__passwords,os.O_BINARY|os.O_RDWR|os.O_CREAT)
        newfile = 1
    except:
      log.exception("Error accessing the password database")
      return -3
    #md5sum = md5.new()
    user_name = userName
    user_home = "Nothing"
    user_login = loginId
    user_password = password
    #md5sum.update(user_password)
    #user_passhash = hexlify(md5sum.digest())
    user_passhash = self.__create(user_password)
    user_attempts = 0
    user_sizeof = calcsize(self.__fmt)
    user_info = pack(self.__fmt,user_name,user_home,user_login,user_passhash,user_attempts)
    user_data = user_info
    if newfile:
      log.debug("Added user %s to the password database" % loginId)
      os.write(fd,user_info)
      os.close(fd)
      return 0
    while len(user_data) == user_sizeof:
      user_data = os.read(fd,user_sizeof)
      if len(user_data) == user_sizeof:
        (u_name,u_home,u_login,u_passhash,u_attempts) = unpack(self.__fmt,user_data)
        if u_login.strip('\0 ') == user_login.strip():
          log.debug("User %s already exists in password database." % loginId)
          os.close(fd)
          return -2
    log.debug("Added user %s to the password database" % loginId)
    os.write(fd,user_info)
    os.close(fd)
    return 0

  def checkPassword(self, loginId):
    """Checks if a user already has a password

    \param loginId  User's login id

    \return -1: Password does not exist
             0: Password exists
    """
    if os.access(self.__passwords,os.O_RDONLY):
      fd = os.open(self.__passwords,os.O_BINARY|os.O_RDONLY)
    else:
      return -1
    #md5sum = md5.new()
    user_name = "Nothing"
    user_home = "Nothing"
    user_login = loginId
    user_password = "Nothing"
    user_passhash = "Nothing"
    user_attempts = 0
    user_sizeof = calcsize(self.__fmt)
    user_info = pack(self.__fmt,user_name,user_home,user_login,user_passhash,user_attempts)
    user_data = user_info
    while len(user_data) == user_sizeof:
      user_data = os.read(fd,user_sizeof)
      if len(user_data) == user_sizeof:
        (u_name,u_home,u_login,u_passhash,u_attempts) = unpack(self.__fmt,user_data)
        if u_login.strip('\0 ') == user_login.strip():
          os.close(fd)
          return 0
    os.close(fd)
    return -1


  def deleteUser(self, loginId):
    """Deletes the user based on the given login id and password.

    \param loginId  User's login id
    \param password User's password

    \return -1: User authentication failed, invalid user id or password
            -2: Password database is not accessible
             0: User deleted
    """
    if os.access(self.__passwords,os.O_RDWR):
      fd = os.open(self.__passwords,os.O_BINARY|os.O_RDWR)
    else:
      log.debug("Password database is not accessible.")
      return -2

    #md5sum = md5.new()
    (fmode, fino, fdev, fnlink, fuid, fgid, fsize, fatime, fmtime, fctime) = os.fstat(fd)
    user_name = "Nothing"
    user_home = "Nothing"
    user_login = loginId
    #user_password = password
    #md5sum.update(user_password)
    #user_passhash = hexlify(md5sum.digest())
    user_passhash="Nothing"
    user_attempts = 0
    user_sizeof = calcsize(self.__fmt)
    user_data = pack(self.__fmt,user_name,user_home,user_login,user_passhash,user_attempts)
    while len(user_data) == user_sizeof:
      user_data = os.read(fd,user_sizeof)
      if len(user_data) == user_sizeof:
        (u_name,u_home,u_login,u_passhash,u_attempts) = unpack(self.__fmt,user_data)
        #print "<%s><%s><%s><%s>" % (u_login, user_login, u_passhash, user_passhash)
        if u_login.strip('\0 ') == user_login.strip(): # and self.__check(u_passhash, user_password):
          log.debug("Access Granted to user with the login id=%s" % loginId)
          curpos = os.lseek(fd,0,1)
          if curpos == fsize:
            os.close(fd)
            f = open(self.__passwords, "ab+")
            f.truncate(fsize - user_sizeof)
            f.close()
            log.debug("User %s deleted" % loginId)
            return 0
          buf = os.read(fd,fsize - curpos)
          os.lseek(fd,curpos - user_sizeof,0)
          os.write(fd,buf)
          os.close(fd)
          f = open(self.__passwords,"ab+")
          f.truncate(fsize - user_sizeof)
          f.close()
          log.debug("User %s deleted" % loginId)
          return 0
    log.debug("User authentication failed, loginId=%s" % loginId)
    os.close(fd)
    return -1


  ## private:

  # Password encryption/verification routines
  def __makesalt(self):
      l = [ chr(random.randint(0,255)) for i in range(4) ]
      return ''.join(l)

  def __create(self, password):
      salt = self.__makesalt()
      text = salt + password
      pwdHash = sha.new(text).digest()
      data = salt + pwdHash
      return base64.encodestring(data)

  def __check(self, data, password):
      data = base64.decodestring(data)
      salt, pwdHash = data[:4], data[4:]
      pwdHash2 = sha.new(salt + password).digest()
      return pwdHash2 == pwdHash

---