wradmin/lib/mediawiki.py

   1 #!/usr/bin/python3.4
   2 # $Id$
   3 """MediaWiki communication functions"""
   4 import datetime
   5 import re
   6
   7 from authkit.users import UsersReadOnly, md5, AuthKitError
   8 import formencode, formencode.national
   9
  10 import logging
  11 log = logging.getLogger(__name__)
  12
  13 import wradmin.model as model
  14 import wradmin.model.validators
  15
  16
  17 # User management
  18 # ---------------
  19
  20 class MediaWikiUsers(UsersReadOnly):
  21     def __init__(self, data=None, encrypt=None):
  22         UsersReadOnly.__init__(self, data, encrypt)
  23
  24         # Initialize class fields
  25         self.usernames = []
  26         self.passwords = {}
  27         self.roles = {}
  28         self.groups = {}
  29         self.user_ids = {} # MediaWiki user_id field of the database
  30         self.real_names = {} # Real names of the users
  31         self.emails = {} # E-Mail addresses of the users
  32
  33         # Query database
  34         con = model.meta.engine.connect()
  35         sql = "SELECT user_id, user_name, user_real_name, user_password, user_email FROM user, user_groups WHERE ug_user=user_id AND ug_group='beauftragte'"
  36         result = con.execute(sql)
  37         for row in result:
  38             user_id, username, real_name, password, email = row
  39             username = username.lower()
  40             role = []
  41             group = None
  42
  43             self.usernames.append(username)
  44             self.passwords[username] = password
  45             self.roles[username] = role
  46             self.groups[username] = group
  47             self.user_ids[username] = user_id
  48             self.real_names[username] = real_name
  49             self.emails[username] = email
  50         con.close()
  51         log.info("%d users loaded from the MediaWiki database" % len(self.usernames))
  52
  53     @staticmethod
  54     def password_is_correct(password_plain, password_db):
  55         """Returns true if a plain text password corresponds to the hash of the password as stored in the MediaWiki db.
  56
  57         :param password_plain: plain text password, e.g. 'abc'
  58         :param password_db: complete password line as stored in the database, e.g. ':pbkdf2:sha256:10000:128:EXgVGhc2mAs710feKvkiaw==:J5fYth9pg/R2d0F8bSsYfTR8SBpTBNIcdv/DgJ0tOPC1rtajl2Dr0RLqOozLb8O0XpDhtv4a3JJd/M0b58WebfNWAcdJBJI9nNeC0EYYD7OCYZGVAaRhiYtK4m53KZBBL6x/k2j4RjHPT1NmgV8Fr1DPqBNOlOHxUIh5z5oslM4='
  59         """
  60         if not password_db.startswith(':'):
  61             raise AuthKitError("Password entry in the database does have an unexpected format (does not start with ':').")
  62         pwd_parts = password_db[1:].split(':')
  63         pwd_type = pwd_parts[0]
  64         if pwd_type == 'B':
  65             # legacy
  66             # example: password_db == ':B:d25b2886:41e46c952790b1b442aac4f24f7ea7a8'
  67             # pwd_parts == ['B', 'd25b2886', '41e46c952790b1b442aac4f24f7ea7a8']
  68             if len(pwd_parts) != 3:
  69                 raise AuthKitError("Password entry in the database does have an unexpected format (too few ':').")
  70             salt, pwd_md5 = tuple(pwd_parts[1:3]) # salt = 'd25b2886'; pwd_md5 = '41e46c952790b1b442aac4f24f7ea7a8'
  71             # log.info("user: '%s'; md5 of salt+' '+entered_pwd: '%s'; md5-part of DB-pwd: %s" % (username, md5(salt + '-' + md5(password)), pwd_md5))
  72             return md5(salt + '-' + md5(password_plain)) == pwd_md5
  73         elif pwd_type == 'pbkdf2':
  74             if len(pwd_parts) != 6:
  75                 raise AuthKitError("Password entry in the database does have an unexpected format (too few ':').")
  76             _, algorithm, rounds, num_bit, salt, pwd_hash = pwd_parts
  77             from base64 import b64decode, b64encode
  78             from hashlib import pbkdf2_hmac
  79             salt = b64decode(salt)
  80             hash = pbkdf2_hmac(algorithm, password_plain, salt, int(rounds), int(num_bit))
  81             hash = b64encode(hash)
  82             return hash == pwd_hash
  83
  84
  85     def user_has_password(self, username, password):
  86         """
  87         Passwords are case sensitive.
  88         Returns ``True`` if the user has the password specified, ``False`` otherwise.
  89         Raises an exception if the user doesn't exist.
  90
  91         See http://www.winterrodeln.org/trac/wiki/MediaWikiAuthorization
  92         """
  93         password_db = self.user_password(username)
  94         return self.password_is_correct(password, password_db)