Authentication library

A base authentication & authorization module.

Includes the base class BaseAuth.

Authentication and authorization in NIPAP

NIPAP offers basic authentication with two different backends, a simple two-level authorization model and a trust-system for simplifying system integration.

Readonly users are only authorized to run queries which do not modify any data in the database. No further granularity of access control is offered at this point.

Trusted users can perform operations which will be logged as performed by another user. This feature is meant for system integration, for example to be used by a NIPAP client which have its own means of authentication users; say for example a web application supporting the NTLM single sign-on feature. By letting the web application use a trusted account to authenticate against the NIPAP service, it can specify the username of the end-user, so that audit logs will be written with the correct information. Without the trusted-bit, all queries performed by end-users through this system would look like they were performed by the system itself.

The NIPAP auth system also has a concept of authoritative source. The authoritative source is a string which simply defines what system is the authoritative source of data for a prefix. Well-behaved clients SHOULD present a warning to the user when trying to alter a prefix with an authoritative source different than the system itself, as other system might depend on the information being unchanged. This is however, by no means enforced by the NIPAP service.

Authentication backends

Two authentication backends are shipped with NIPAP:

  • LdapAuth - authenticates users against an LDAP server
  • SqliteAuth - authenticates users against a local SQLite-database

The authentication classes presented here are used both in the NIPAP web UI and in the XML-RPC backend. So far only the SqliteAuth backend supports trusted and readonly users.

What authentication backend to use can be specified by suffixing the username with @`backend`, where backend is set in the configuration file. If not defined, a (configurable) default backend is used.

Authentication options

With each NIPAP query authentication options can be specified. The authentication options are passed as a dict with the following keys taken into account:

  • authoritative_source - Authoritative source for the query.
  • username - Username to impersonate, requires authentication as trusted user.
  • full_name - Full name of impersonated user.
  • readonly - True for read-only users

Classes

exception nipap.authlib.AuthError

General auth exception.

class nipap.authlib.AuthFactory

An factory for authentication backends.

get_auth(username, password, authoritative_source, auth_options=None)

Returns an authentication object.

Examines the auth backend given after the ‘@’ in the username and returns a suitable instance of a subclass of the BaseAuth class.

  • username [string]
    Username to authenticate as.
  • password [string]
    Password to authenticate with.
  • authoritative_source [string]
    Authoritative source of the query.
  • auth_options [dict]
    A dict which, if authenticated as a trusted user, can override username and authoritative_source.
reload()

Reload AuthFactory.

exception nipap.authlib.AuthSqliteError

Problem with the Sqlite database

exception nipap.authlib.AuthenticationFailed

Authentication failed.

exception nipap.authlib.AuthorizationFailed

Authorization failed.

class nipap.authlib.BaseAuth(username, password, authoritative_source, auth_backend, auth_options=None)

A base authentication class.

All authentication modules should extend this class.

authenticate()

Verify authentication.

Returns True/False dependant on whether the authentication succeeded or not.

authorize()

Verify authorization.

Check if a user is authorized to perform a specific operation.

class nipap.authlib.LdapAuth(name, username, password, authoritative_source, auth_options=None)

An authentication and authorization class for LDAP auth.

authenticate()

Verify authentication.

Returns True/False dependant on whether the authentication succeeded or not.

class nipap.authlib.SqliteAuth(name, username, password, authoritative_source, auth_options=None)

An authentication and authorization class for local auth.

add_user(username, password, full_name=None, trusted=False, readonly=False)

Add user to SQLite database.

  • username [string]
    Username of new user.
  • password [string]
    Password of new user.
  • full_name [string]
    Full name of new user.
  • trusted [boolean]
    Whether the new user should be trusted or not.
  • readonly [boolean]
    Whether the new user can only read or not
authenticate()

Verify authentication.

Returns True/False dependant on whether the authentication succeeded or not.

get_user(username)

Fetch the user from the database

The function will return None if the user is not found

list_users()

List all users.

modify_user(username, data)

Modify user in SQLite database.

Since username is used as primary key and we only have a single argument for it we can’t modify the username right now.

remove_user(username)

Remove user from the SQLite database.

  • username [string]
    Username of user to remove.