From 87cfa88f2447a7337ad6048755a37892787aecf9 Mon Sep 17 00:00:00 2001
From: Tristan Cavelier <tristan.cavelier@tiolive.com>
Date: Fri, 23 Jan 2015 09:59:08 +0000
Subject: [PATCH] Add ERP5Security Dumb HTTP Extraction Plugin

This the default way to authenticate in ERP5. Without this,
it is DANGEROUS to activate another plugin.

The PluggableAuthenticationService lists all activated plugin
and if at least one is available then it deactivate the default
way to authenticate. And if you are not able to pass the activated
plugin then you cannot login anymore.

To prevent this, we can activate a plugin which uses the default
way to authenticate (Dumb HTTP Extraction Plugin), and THEN activate
another plugin.
---
 ...t.erp5.testERP5DumbHTTPExtractionPlugin.py | 109 ++++++++++++++++
 ....erp5.testERP5DumbHTTPExtractionPlugin.xml | 123 ++++++++++++++++++
 .../bt/template_test_id_list                  |   3 +-
 .../ERP5DumbHTTPExtractionPlugin.py           |  82 ++++++++++++
 product/ERP5Security/__init__.py              |  11 ++
 ...curity_addERP5DumbHTTPExtractionPlugin.zpt |  36 +++++
 6 files changed, 363 insertions(+), 1 deletion(-)
 create mode 100644 bt5/erp5_access_token/TestTemplateItem/portal_components/test.erp5.testERP5DumbHTTPExtractionPlugin.py
 create mode 100644 bt5/erp5_access_token/TestTemplateItem/portal_components/test.erp5.testERP5DumbHTTPExtractionPlugin.xml
 create mode 100644 product/ERP5Security/ERP5DumbHTTPExtractionPlugin.py
 create mode 100644 product/ERP5Security/www/ERP5Security_addERP5DumbHTTPExtractionPlugin.zpt

diff --git a/bt5/erp5_access_token/TestTemplateItem/portal_components/test.erp5.testERP5DumbHTTPExtractionPlugin.py b/bt5/erp5_access_token/TestTemplateItem/portal_components/test.erp5.testERP5DumbHTTPExtractionPlugin.py
new file mode 100644
index 0000000000..c3e9ab9f94
--- /dev/null
+++ b/bt5/erp5_access_token/TestTemplateItem/portal_components/test.erp5.testERP5DumbHTTPExtractionPlugin.py
@@ -0,0 +1,109 @@
+# -*- coding: utf-8 -*-
+##############################################################################
+#
+# Copyright (c) 2015 Nexedi SA and Contributors. All Rights Reserved.
+#                    Tristan Cavelier <tristan.cavelier@nexedi.com>
+#
+# WARNING: This program as such is intended to be used by professional
+# programmers who take the whole responsability of assessing all potential
+# consequences resulting from its eventual inadequacies and bugs
+# End users who are looking for a ready-to-use solution with commercial
+# garantees and support are strongly adviced to contract a Free Software
+# Service Company
+#
+# This program is Free Software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+##############################################################################
+
+from Products.ERP5Type.tests.ERP5TypeTestCase import ERP5TypeTestCase
+from ZPublisher.HTTPRequest import HTTPRequest
+from ZPublisher.HTTPResponse import HTTPResponse
+from Products.ERP5Security.ERP5DumbHTTPExtractionPlugin import ERP5DumbHTTPExtractionPlugin
+import base64
+import transaction
+import StringIO
+
+class TestERP5DumbHTTPExtractionPlugin(ERP5TypeTestCase):
+
+  test_id = 'test_erp5_dumb_http_extraction'
+
+  def getBusinessTemplateList(self):
+    return ('erp5_base',)
+
+  def generateNewId(self):
+    return str(self.portal.portal_ids.generateNewId(
+         id_group=('erp5_dumb_http_test_id')))
+
+  def afterSetUp(self):
+    """
+    This is ran before anything, used to set the environment
+    """
+    self.portal = self.getPortalObject()
+    self.new_id = self.generateNewId()
+    self._setupDumbHTTPExtraction()
+    transaction.commit()
+    self.tic()
+
+  def do_fake_request(self, request_method, headers={}):
+    __version__ = "0.1"
+    env={}
+    env['SERVER_NAME']='bobo.server'
+    env['SERVER_PORT']='80'
+    env['REQUEST_METHOD']=request_method
+    env['REMOTE_ADDR']='204.183.226.81 '
+    env['REMOTE_HOST']='bobo.remote.host'
+    env['HTTP_USER_AGENT']='Bobo/%s' % __version__
+    env['HTTP_HOST']='127.0.0.1'
+    env['SERVER_SOFTWARE']='Bobo/%s' % __version__
+    env['SERVER_PROTOCOL']='HTTP/1.0 '
+    env['HTTP_ACCEPT']='image/gif, image/x-xbitmap, image/jpeg, */* '
+    env['SERVER_HOSTNAME']='bobo.server.host'
+    env['GATEWAY_INTERFACE']='CGI/1.1 '
+    env['SCRIPT_NAME']='Main'
+    env.update(headers)
+    return HTTPRequest(StringIO.StringIO(), env, HTTPResponse())
+
+  def _setupDumbHTTPExtraction(self):
+    pas = self.portal.acl_users
+    access_extraction_list = [q for q in pas.objectValues() \
+        if q.meta_type == 'ERP5 Dumb HTTP Extraction Plugin']
+    if len(access_extraction_list) == 0:
+      dispacher = pas.manage_addProduct['ERP5Security']
+      dispacher.addERP5DumbHTTPExtractionPlugin(self.test_id)
+      getattr(pas, self.test_id).manage_activateInterfaces(
+        ('IExtractionPlugin',))
+    elif len(access_extraction_list) == 1:
+      self.test_id = access_extraction_list[0].getId()
+    elif len(access_extraction_list) > 1:
+      raise ValueError
+    transaction.commit()
+
+  def _createPerson(self, new_id, password=None):
+    """Creates a person in person module, and returns the object, after
+    indexing is done. """
+    person_module = self.getPersonModule()
+    person = person_module.newContent(portal_type='Person',
+      reference='TESTP-' + new_id)
+    if password:
+      person.setPassword(password)
+    person.newContent(portal_type = 'Assignment').open()
+    transaction.commit()
+    return person
+
+  def test_working_authentication(self):
+    person = self.person = self._createPerson(self.new_id, "test")
+    request = self.do_fake_request("GET", {"HTTP_AUTHORIZATION": "Basic " + base64.b64encode("%s:test" % self.new_id)})
+    ret = ERP5DumbHTTPExtractionPlugin("default_extraction").extractCredentials(request)
+    self.assertEquals(ret, {'login': self.new_id, 'password': 'test', 'remote_host': 'bobo.remote.host', 'remote_address': '204.183.226.81 '})
diff --git a/bt5/erp5_access_token/TestTemplateItem/portal_components/test.erp5.testERP5DumbHTTPExtractionPlugin.xml b/bt5/erp5_access_token/TestTemplateItem/portal_components/test.erp5.testERP5DumbHTTPExtractionPlugin.xml
new file mode 100644
index 0000000000..6c6f9f84fc
--- /dev/null
+++ b/bt5/erp5_access_token/TestTemplateItem/portal_components/test.erp5.testERP5DumbHTTPExtractionPlugin.xml
@@ -0,0 +1,123 @@
+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="Test Component" module="erp5.portal_type"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>_recorded_property_dict</string> </key>
+            <value>
+              <persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
+            </value>
+        </item>
+        <item>
+            <key> <string>default_reference</string> </key>
+            <value> <string>testERP5DumbHTTPExtractionPlugin</string> </value>
+        </item>
+        <item>
+            <key> <string>description</string> </key>
+            <value>
+              <none/>
+            </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>test.erp5.testERP5DumbHTTPExtractionPlugin</string> </value>
+        </item>
+        <item>
+            <key> <string>portal_type</string> </key>
+            <value> <string>Test Component</string> </value>
+        </item>
+        <item>
+            <key> <string>sid</string> </key>
+            <value>
+              <none/>
+            </value>
+        </item>
+        <item>
+            <key> <string>text_content_error_message</string> </key>
+            <value>
+              <tuple/>
+            </value>
+        </item>
+        <item>
+            <key> <string>text_content_warning_message</string> </key>
+            <value>
+              <tuple/>
+            </value>
+        </item>
+        <item>
+            <key> <string>version</string> </key>
+            <value> <string>erp5</string> </value>
+        </item>
+        <item>
+            <key> <string>workflow_history</string> </key>
+            <value>
+              <persistent> <string encoding="base64">AAAAAAAAAAM=</string> </persistent>
+            </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+  <record id="2" aka="AAAAAAAAAAI=">
+    <pickle>
+      <global name="PersistentMapping" module="Persistence.mapping"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>data</string> </key>
+            <value>
+              <dictionary/>
+            </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+  <record id="3" aka="AAAAAAAAAAM=">
+    <pickle>
+      <global name="PersistentMapping" module="Persistence.mapping"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>data</string> </key>
+            <value>
+              <dictionary>
+                <item>
+                    <key> <string>component_validation_workflow</string> </key>
+                    <value>
+                      <persistent> <string encoding="base64">AAAAAAAAAAQ=</string> </persistent>
+                    </value>
+                </item>
+              </dictionary>
+            </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+  <record id="4" aka="AAAAAAAAAAQ=">
+    <pickle>
+      <global name="WorkflowHistoryList" module="Products.ERP5Type.patches.WorkflowTool"/>
+    </pickle>
+    <pickle>
+      <tuple>
+        <none/>
+        <list>
+          <dictionary>
+            <item>
+                <key> <string>action</string> </key>
+                <value> <string>validate</string> </value>
+            </item>
+            <item>
+                <key> <string>validation_state</string> </key>
+                <value> <string>validated</string> </value>
+            </item>
+          </dictionary>
+        </list>
+      </tuple>
+    </pickle>
+  </record>
+</ZopeData>
diff --git a/bt5/erp5_access_token/bt/template_test_id_list b/bt5/erp5_access_token/bt/template_test_id_list
index dade01270f..3f19acd9e2 100644
--- a/bt5/erp5_access_token/bt/template_test_id_list
+++ b/bt5/erp5_access_token/bt/template_test_id_list
@@ -1,2 +1,3 @@
 test.erp5.testERP5AccessTokenAlarm
-test.erp5.testERP5AccessTokenSkins
\ No newline at end of file
+test.erp5.testERP5AccessTokenSkins
+test.erp5.testERP5DumbHTTPExtractionPlugin
\ No newline at end of file
diff --git a/product/ERP5Security/ERP5DumbHTTPExtractionPlugin.py b/product/ERP5Security/ERP5DumbHTTPExtractionPlugin.py
new file mode 100644
index 0000000000..1ee1c2b382
--- /dev/null
+++ b/product/ERP5Security/ERP5DumbHTTPExtractionPlugin.py
@@ -0,0 +1,82 @@
+# -*- coding: utf-8 -*-
+##############################################################################
+#
+# Copyright (c) 2015 Nexedi SA and Contributors. All Rights Reserved.
+#                    Tristan Cavelier <tristan.cavelier@nexedi.com>
+#
+# WARNING: This program as such is intended to be used by professional
+# programmers who take the whole responsibility of assessing all potential
+# consequences resulting from its eventual inadequacies and bugs
+# End users who are looking for a ready-to-use solution with commercial
+# guarantees and support are strongly adviced to contract a Free Software
+# Service Company
+#
+# This program is Free Software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+#
+##############################################################################
+
+from Products.ERP5Type.Globals import InitializeClass
+
+from AccessControl import ClassSecurityInfo
+from Products.PageTemplates.PageTemplateFile import PageTemplateFile
+
+from Products.PluggableAuthService.interfaces import plugins
+from Products.PluggableAuthService.utils import classImplements
+from Products.PluggableAuthService.plugins.BasePlugin import BasePlugin
+from Products.PluggableAuthService.PluggableAuthService import DumbHTTPExtractor
+
+from Products.ERP5Type.UnrestrictedMethod import UnrestrictedMethod
+
+class ERP5DumbHTTPExtractionPlugin(BasePlugin):
+  """
+    Default authentication behavior
+  """
+
+  meta_type = "ERP5 Dumb HTTP Extraction Plugin"
+  security = ClassSecurityInfo()
+
+  def __init__(self, id, title=None):
+    #Register value
+    self._setId(id)
+    self.title = title
+
+  security.declarePrivate('extractCredentials')
+  @UnrestrictedMethod
+  def extractCredentials(self, request):
+    return DumbHTTPExtractor().extractCredentials(request);
+
+#Form for new plugin in ZMI
+manage_addERP5DumbHTTPExtractionPluginForm = PageTemplateFile(
+  'www/ERP5Security_addERP5DumbHTTPExtractionPlugin', globals(),
+  __name__='manage_addERP5DumbHTTPExtractionPluginForm')
+
+def addERP5DumbHTTPExtractionPlugin(dispatcher, id, title=None, REQUEST=None):
+  """ Add an ERP5DumbHTTPExtractionPlugin to a Pluggable Auth Service. """
+
+  plugin = ERP5DumbHTTPExtractionPlugin(id, title)
+  dispatcher._setObject(plugin.getId(), plugin)
+
+  if REQUEST is not None:
+      REQUEST['RESPONSE'].redirect(
+          '%s/manage_workspace'
+          '?manage_tabs_message='
+          'ERP5DumbHTTPExtractionPlugin+added.'
+          % dispatcher.absolute_url())
+
+#List implementation of class
+classImplements(ERP5DumbHTTPExtractionPlugin,
+                plugins.ILoginPasswordHostExtractionPlugin
+               )
+InitializeClass(ERP5DumbHTTPExtractionPlugin)
diff --git a/product/ERP5Security/__init__.py b/product/ERP5Security/__init__.py
index 287be31d2b..2d2967e9fd 100644
--- a/product/ERP5Security/__init__.py
+++ b/product/ERP5Security/__init__.py
@@ -30,6 +30,7 @@ import ERP5ExternalAuthenticationPlugin
 import ERP5BearerExtractionPlugin
 import ERP5ExternalOauth2ExtractionPlugin
 import ERP5AccessTokenExtractionPlugin
+import ERP5DumbHTTPExtractionPlugin
 
 def mergedLocalRoles(object):
   """Returns a merging of object and its ancestors'
@@ -69,6 +70,7 @@ registerMultiPlugin(ERP5BearerExtractionPlugin.ERP5BearerExtractionPlugin.meta_t
 registerMultiPlugin(ERP5ExternalOauth2ExtractionPlugin.ERP5FacebookExtractionPlugin.meta_type)
 registerMultiPlugin(ERP5ExternalOauth2ExtractionPlugin.ERP5GoogleExtractionPlugin.meta_type)
 registerMultiPlugin(ERP5AccessTokenExtractionPlugin.ERP5AccessTokenExtractionPlugin.meta_type)
+registerMultiPlugin(ERP5DumbHTTPExtractionPlugin.ERP5DumbHTTPExtractionPlugin.meta_type)
 
 def initialize(context):
 
@@ -162,6 +164,15 @@ def initialize(context):
                          , icon='www/portal.gif'
                          )
 
+    context.registerClass( ERP5DumbHTTPExtractionPlugin.ERP5DumbHTTPExtractionPlugin
+                         , permission=ManageUsers
+                         , constructors=(
+                            ERP5DumbHTTPExtractionPlugin.manage_addERP5DumbHTTPExtractionPluginForm,
+                            ERP5DumbHTTPExtractionPlugin.addERP5DumbHTTPExtractionPlugin, )
+                         , visibility=None
+                         , icon='www/portal.gif'
+                         )
+
 from AccessControl.SecurityInfo import ModuleSecurityInfo
 ModuleSecurityInfo('Products.ERP5Security.ERP5UserManager').declarePublic(
   'getUserByLogin')
diff --git a/product/ERP5Security/www/ERP5Security_addERP5DumbHTTPExtractionPlugin.zpt b/product/ERP5Security/www/ERP5Security_addERP5DumbHTTPExtractionPlugin.zpt
new file mode 100644
index 0000000000..0f4f8ec19d
--- /dev/null
+++ b/product/ERP5Security/www/ERP5Security_addERP5DumbHTTPExtractionPlugin.zpt
@@ -0,0 +1,36 @@
+<h1 tal:replace="structure context/manage_page_header">PAGE HEADER</h1>
+<h2 tal:define="form_title string:Add ERP5 Dumb HTTP Extraction Plugin"
+    tal:replace="structure context/manage_form_title">FORM TITLE</h2>
+
+<p class="form-help">Please input the configuration</p>
+
+<form action="addERP5DumbHTTPExtractionPlugin" method="POST">
+<table cellspacing="0" cellpadding="2" border="0">
+  <tr>
+    <td align="left" valign="top">
+    <div class="form-label">
+    Id
+    </div>
+    </td>
+    <td align="left" valign="top">
+    <input type="text" name="id" size="40" />
+    </td>
+  </tr>
+  <tr>
+    <td align="left" valign="top">
+    <div class="form-label">
+    Title
+    </div>
+    </td>
+    <td align="left" valign="top">
+    <input type="text" name="title" size="40" />
+    </td>
+  </tr>
+  <tr>
+    <td colspan="2"> <input type="submit" value="add plugin"/>
+    </td>
+  </tr>
+</table>
+</form>
+
+<h1 tal:replace="structure context/manage_page_footer">PAGE FOOTER</h1>
-- 
2.30.9