Add ERP5Security Dumb HTTP Extraction Plugin

This the default way to authenticate in ERP5. Without this,
it is DANGEROUS to activate another plugin.

The PluggableAuthenticationService lists all activated plugin
and if at least one is available then it deactivate the default
way to authenticate. And if you are not able to pass the activated
plugin then you cannot login anymore.

To prevent this, we can activate a plugin which uses the default
way to authenticate (Dumb HTTP Extraction Plugin), and THEN activate
another plugin.

bt5/erp5_access_token/TestTemplateItem/portal_components/test.erp5.testERP5DumbHTTPExtractionPlugin.py

+# -*- coding: utf-8 -*-
+##############################################################################
+#
+# Copyright (c) 2015 Nexedi SA and Contributors. All Rights Reserved.
+#                    Tristan Cavelier <tristan.cavelier@nexedi.com>
+#
+# WARNING: This program as such is intended to be used by professional
+# programmers who take the whole responsability of assessing all potential
+# consequences resulting from its eventual inadequacies and bugs
+# End users who are looking for a ready-to-use solution with commercial
+# garantees and support are strongly adviced to contract a Free Software
+# Service Company
+#
+# This program is Free Software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+##############################################################################
+
+from Products.ERP5Type.tests.ERP5TypeTestCase import ERP5TypeTestCase
+from ZPublisher.HTTPRequest import HTTPRequest
+from ZPublisher.HTTPResponse import HTTPResponse
+from Products.ERP5Security.ERP5DumbHTTPExtractionPlugin import ERP5DumbHTTPExtractionPlugin
+import base64
+import transaction
+import StringIO
+
+class TestERP5DumbHTTPExtractionPlugin(ERP5TypeTestCase):
+
+  test_id = 'test_erp5_dumb_http_extraction'
+
+  def getBusinessTemplateList(self):
+    return ('erp5_base',)
+
+  def generateNewId(self):
+    return str(self.portal.portal_ids.generateNewId(
+         id_group=('erp5_dumb_http_test_id')))
+
+  def afterSetUp(self):
+    """
+    This is ran before anything, used to set the environment
+    """
+    self.portal = self.getPortalObject()
+    self.new_id = self.generateNewId()
+    self._setupDumbHTTPExtraction()
+    transaction.commit()
+    self.tic()
+
+  def do_fake_request(self, request_method, headers={}):
+    __version__ = "0.1"
+    env={}
+    env['SERVER_NAME']='bobo.server'
+    env['SERVER_PORT']='80'
+    env['REQUEST_METHOD']=request_method
+    env['REMOTE_ADDR']='204.183.226.81 '
+    env['REMOTE_HOST']='bobo.remote.host'
+    env['HTTP_USER_AGENT']='Bobo/%s' % __version__
+    env['HTTP_HOST']='127.0.0.1'
+    env['SERVER_SOFTWARE']='Bobo/%s' % __version__
+    env['SERVER_PROTOCOL']='HTTP/1.0 '
+    env['HTTP_ACCEPT']='image/gif, image/x-xbitmap, image/jpeg, */* '
+    env['SERVER_HOSTNAME']='bobo.server.host'
+    env['GATEWAY_INTERFACE']='CGI/1.1 '
+    env['SCRIPT_NAME']='Main'
+    env.update(headers)
+    return HTTPRequest(StringIO.StringIO(), env, HTTPResponse())
+
+  def _setupDumbHTTPExtraction(self):
+    pas = self.portal.acl_users
+    access_extraction_list = [q for q in pas.objectValues() \
+        if q.meta_type == 'ERP5 Dumb HTTP Extraction Plugin']
+    if len(access_extraction_list) == 0:
+      dispacher = pas.manage_addProduct['ERP5Security']
+      dispacher.addERP5DumbHTTPExtractionPlugin(self.test_id)
+      getattr(pas, self.test_id).manage_activateInterfaces(
+        ('IExtractionPlugin',))
+    elif len(access_extraction_list) == 1:
+      self.test_id = access_extraction_list[0].getId()
+    elif len(access_extraction_list) > 1:
+      raise ValueError
+    transaction.commit()
+
+  def _createPerson(self, new_id, password=None):
+    """Creates a person in person module, and returns the object, after
+    indexing is done. """
+    person_module = self.getPersonModule()
+    person = person_module.newContent(portal_type='Person',
+      reference='TESTP-' + new_id)
+    if password:
+      person.setPassword(password)
+    person.newContent(portal_type = 'Assignment').open()
+    transaction.commit()
+    return person
+
+  def test_working_authentication(self):
+    person = self.person = self._createPerson(self.new_id, "test")
+    request = self.do_fake_request("GET", {"HTTP_AUTHORIZATION": "Basic " + base64.b64encode("%s:test" % self.new_id)})
+    ret = ERP5DumbHTTPExtractionPlugin("default_extraction").extractCredentials(request)
+    self.assertEquals(ret, {'login': self.new_id, 'password': 'test', 'remote_host': 'bobo.remote.host', 'remote_address': '204.183.226.81 '})

bt5/erp5_access_token/TestTemplateItem/portal_components/test.erp5.testERP5DumbHTTPExtractionPlugin.xml

+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="Test Component" module="erp5.portal_type"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>_recorded_property_dict</string> </key>
+            <value>
+              <persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
+            </value>
+        </item>
+        <item>
+            <key> <string>default_reference</string> </key>
+            <value> <string>testERP5DumbHTTPExtractionPlugin</string> </value>
+        </item>
+        <item>
+            <key> <string>description</string> </key>
+            <value>
+              <none/>
+            </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>test.erp5.testERP5DumbHTTPExtractionPlugin</string> </value>
+        </item>
+        <item>
+            <key> <string>portal_type</string> </key>
+            <value> <string>Test Component</string> </value>
+        </item>
+        <item>
+            <key> <string>sid</string> </key>
+            <value>
+              <none/>
+            </value>
+        </item>
+        <item>
+            <key> <string>text_content_error_message</string> </key>
+            <value>
+              <tuple/>
+            </value>
+        </item>
+        <item>
+            <key> <string>text_content_warning_message</string> </key>
+            <value>
+              <tuple/>
+            </value>
+        </item>
+        <item>
+            <key> <string>version</string> </key>
+            <value> <string>erp5</string> </value>
+        </item>
+        <item>
+            <key> <string>workflow_history</string> </key>
+            <value>
+              <persistent> <string encoding="base64">AAAAAAAAAAM=</string> </persistent>
+            </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+  <record id="2" aka="AAAAAAAAAAI=">
+    <pickle>
+      <global name="PersistentMapping" module="Persistence.mapping"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>data</string> </key>
+            <value>
+              <dictionary/>
+            </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+  <record id="3" aka="AAAAAAAAAAM=">
+    <pickle>
+      <global name="PersistentMapping" module="Persistence.mapping"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>data</string> </key>
+            <value>
+              <dictionary>
+                <item>
+                    <key> <string>component_validation_workflow</string> </key>
+                    <value>
+                      <persistent> <string encoding="base64">AAAAAAAAAAQ=</string> </persistent>
+                    </value>
+                </item>
+              </dictionary>
+            </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+  <record id="4" aka="AAAAAAAAAAQ=">
+    <pickle>
+      <global name="WorkflowHistoryList" module="Products.ERP5Type.patches.WorkflowTool"/>
+    </pickle>
+    <pickle>
+      <tuple>
+        <none/>
+        <list>
+          <dictionary>
+            <item>
+                <key> <string>action</string> </key>
+                <value> <string>validate</string> </value>
+            </item>
+            <item>
+                <key> <string>validation_state</string> </key>
+                <value> <string>validated</string> </value>
+            </item>
+          </dictionary>
+        </list>
+      </tuple>
+    </pickle>
+  </record>
+</ZopeData>

bt5/erp5_access_token/bt/template_test_id_list

 test.erp5.testERP5AccessTokenAlarm
-test.erp5.testERP5AccessTokenSkins
\ No newline at end of file
+test.erp5.testERP5AccessTokenSkins
+test.erp5.testERP5DumbHTTPExtractionPlugin
\ No newline at end of file

product/ERP5Security/ERP5DumbHTTPExtractionPlugin.py

+# -*- coding: utf-8 -*-
+##############################################################################
+#
+# Copyright (c) 2015 Nexedi SA and Contributors. All Rights Reserved.
+#                    Tristan Cavelier <tristan.cavelier@nexedi.com>
+#
+# WARNING: This program as such is intended to be used by professional
+# programmers who take the whole responsibility of assessing all potential
+# consequences resulting from its eventual inadequacies and bugs
+# End users who are looking for a ready-to-use solution with commercial
+# guarantees and support are strongly adviced to contract a Free Software
+# Service Company
+#
+# This program is Free Software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+#
+##############################################################################
+
+from Products.ERP5Type.Globals import InitializeClass
+
+from AccessControl import ClassSecurityInfo
+from Products.PageTemplates.PageTemplateFile import PageTemplateFile
+
+from Products.PluggableAuthService.interfaces import plugins
+from Products.PluggableAuthService.utils import classImplements
+from Products.PluggableAuthService.plugins.BasePlugin import BasePlugin
+from Products.PluggableAuthService.PluggableAuthService import DumbHTTPExtractor
+
+from Products.ERP5Type.UnrestrictedMethod import UnrestrictedMethod
+
+class ERP5DumbHTTPExtractionPlugin(BasePlugin):
+  """
+    Default authentication behavior
+  """
+
+  meta_type = "ERP5 Dumb HTTP Extraction Plugin"
+  security = ClassSecurityInfo()
+
+  def __init__(self, id, title=None):
+    #Register value
+    self._setId(id)
+    self.title = title
+
+  security.declarePrivate('extractCredentials')
+  @UnrestrictedMethod
+  def extractCredentials(self, request):
+    return DumbHTTPExtractor().extractCredentials(request);
+
+#Form for new plugin in ZMI
+manage_addERP5DumbHTTPExtractionPluginForm = PageTemplateFile(
+  'www/ERP5Security_addERP5DumbHTTPExtractionPlugin', globals(),
+  __name__='manage_addERP5DumbHTTPExtractionPluginForm')
+
+def addERP5DumbHTTPExtractionPlugin(dispatcher, id, title=None, REQUEST=None):
+  """ Add an ERP5DumbHTTPExtractionPlugin to a Pluggable Auth Service. """
+
+  plugin = ERP5DumbHTTPExtractionPlugin(id, title)
+  dispatcher._setObject(plugin.getId(), plugin)
+
+  if REQUEST is not None:
+      REQUEST['RESPONSE'].redirect(
+          '%s/manage_workspace'
+          '?manage_tabs_message='
+          'ERP5DumbHTTPExtractionPlugin+added.'
+          % dispatcher.absolute_url())
+
+#List implementation of class
+classImplements(ERP5DumbHTTPExtractionPlugin,
+                plugins.ILoginPasswordHostExtractionPlugin
+               )
+InitializeClass(ERP5DumbHTTPExtractionPlugin)

product/ERP5Security/__init__.py

@@ -30,6 +30,7 @@ import ERP5ExternalAuthenticationPlugin
 import ERP5BearerExtractionPlugin
 import ERP5ExternalOauth2ExtractionPlugin
 import ERP5AccessTokenExtractionPlugin
+import ERP5DumbHTTPExtractionPlugin
 
 def mergedLocalRoles(object):
   """Returns a merging of object and its ancestors'
@@ -69,6 +70,7 @@ registerMultiPlugin(ERP5BearerExtractionPlugin.ERP5BearerExtractionPlugin.meta_t
 registerMultiPlugin(ERP5ExternalOauth2ExtractionPlugin.ERP5FacebookExtractionPlugin.meta_type)
 registerMultiPlugin(ERP5ExternalOauth2ExtractionPlugin.ERP5GoogleExtractionPlugin.meta_type)
 registerMultiPlugin(ERP5AccessTokenExtractionPlugin.ERP5AccessTokenExtractionPlugin.meta_type)
+registerMultiPlugin(ERP5DumbHTTPExtractionPlugin.ERP5DumbHTTPExtractionPlugin.meta_type)
 
 def initialize(context):
 
@@ -162,6 +164,15 @@ def initialize(context):
                          , icon='www/portal.gif'
                          )
 
+    context.registerClass( ERP5DumbHTTPExtractionPlugin.ERP5DumbHTTPExtractionPlugin
+                         , permission=ManageUsers
+                         , constructors=(
+                            ERP5DumbHTTPExtractionPlugin.manage_addERP5DumbHTTPExtractionPluginForm,
+                            ERP5DumbHTTPExtractionPlugin.addERP5DumbHTTPExtractionPlugin, )
+                         , visibility=None
+                         , icon='www/portal.gif'
+                         )
+
 from AccessControl.SecurityInfo import ModuleSecurityInfo
 ModuleSecurityInfo('Products.ERP5Security.ERP5UserManager').declarePublic(
   'getUserByLogin')

product/ERP5Security/www/ERP5Security_addERP5DumbHTTPExtractionPlugin.zpt

+<h1 tal:replace="structure context/manage_page_header">PAGE HEADER</h1>
+<h2 tal:define="form_title string:Add ERP5 Dumb HTTP Extraction Plugin"
+    tal:replace="structure context/manage_form_title">FORM TITLE</h2>
+
+<p class="form-help">Please input the configuration</p>
+
+<form action="addERP5DumbHTTPExtractionPlugin" method="POST">
+<table cellspacing="0" cellpadding="2" border="0">
+  <tr>
+    <td align="left" valign="top">
+    <div class="form-label">
+    Id
+    </div>
+    </td>
+    <td align="left" valign="top">
+    <input type="text" name="id" size="40" />
+    </td>
+  </tr>
+  <tr>
+    <td align="left" valign="top">
+    <div class="form-label">
+    Title
+    </div>
+    </td>
+    <td align="left" valign="top">
+    <input type="text" name="title" size="40" />
+    </td>
+  </tr>
+  <tr>
+    <td colspan="2"> <input type="submit" value="add plugin"/>
+    </td>
+  </tr>
+</table>
+</form>
+
+<h1 tal:replace="structure context/manage_page_footer">PAGE FOOTER</h1>