Developing plugins for PluggableAuthService
I just made a very neat plugin for PAS. I added it and activated it for everything it can do. It is now the *only* plugin active for Extraction, Challenge and Reset Credentials. The problem is howvere, that nothing happens. None of the methods in the plugin gets called, ever! So, eh, has anybody else here written plugins for PAS so they can point me in the right direction? //Lennart
Lennart Regebro wrote:
I just made a very neat plugin for PAS. I added it and activated it for everything it can do. It is now the *only* plugin active for Extraction, Challenge and Reset Credentials.
The problem is howvere, that nothing happens. None of the methods in the plugin gets called, ever!
So, eh, has anybody else here written plugins for PAS so they can point me in the right direction?
The machinery won't be invoked for requests which don't need to validate (e.g., for resources viewable by Anonymous). Could that be the case for you? Tres. -- =============================================================== Tres Seaver tseaver@zope.com Zope Corporation "Zope Dealers" http://www.zope.com
Tres Seaver wrote:
The machinery won't be invoked for requests which don't need to validate (e.g., for resources viewable by Anonymous). Could that be the case for you?
No. Closer inspection seems to show that I actually don't get PAS to do anything at all. It is simply ignored, unless I put it into the root, in which case I can't do anything, since it doesn't care of emergency_user. So I'm completely stumped.
Lennart Regebro wrote:
Tres Seaver wrote:
The machinery won't be invoked for requests which don't need to validate (e.g., for resources viewable by Anonymous). Could that be the case for you?
No. Closer inspection seems to show that I actually don't get PAS to do anything at all. It is simply ignored, unless I put it into the root, in which case I can't do anything, since it doesn't care of emergency_user.
So I'm completely stumped.
Here is what I just did: 1. Created a folder, 'pas_test' in the root of my Zope, with a minimal 'index_html'. 2. Changed its security settings, removing "acquire" from the "View" permission and granting "View" to "Manager" and "Owner". 3. Verified that I could not view the folder as anonymous (got an HTTP basic auth challenge). 4. Added a PluggableAuthService, with the following plugins (all interfaces activated for each plugin): - 'basic_auth', an HTTPBasicAuthHelper - 'zodb_users', a ZODBUserManger - 'zodb_roles', a ZODBRoleManager 5. In 'zodb_users', created a new user, 'tseaver'. 6. In 'zodb_roles', granted the "Owner" role to 'tseaver'. 7. Reloaded the anonymous window, got challenged, entered 'tseaver' and the password, and saw the page. Tres. -- =============================================================== Tres Seaver tseaver@zope.com Zope Corporation "Zope Dealers" http://www.zope.com
Tres Seaver wrote:
Here is what I just did:
1. Created a folder, 'pas_test' in the root of my Zope, with a minimal 'index_html'.
2. Changed its security settings, removing "acquire" from the "View" permission and granting "View" to "Manager" and "Owner".
3. Verified that I could not view the folder as anonymous (got an HTTP basic auth challenge).
4. Added a PluggableAuthService, with the following plugins (all interfaces activated for each plugin):
- 'basic_auth', an HTTPBasicAuthHelper
- 'zodb_users', a ZODBUserManger
- 'zodb_roles', a ZODBRoleManager
5. In 'zodb_users', created a new user, 'tseaver'.
6. In 'zodb_roles', granted the "Owner" role to 'tseaver'.
7. Reloaded the anonymous window, got challenged, entered 'tseaver' and the password, and saw the page.
OK, thanks, this is what I discovered after doing this: 1. After I do all your stuff above, when I remove the HTTPBasicAuthHelper everything still works. I can still log in, even though there is no credential extractor active. That makes no sense. 2. After I create my plugin, it still gets no calls... However, BasicAuthentication stops working. So now at least I know that PAS is involved in what happens.
Lennart Regebro wrote:
Tres Seaver wrote:
Here is what I just did:
1. Created a folder, 'pas_test' in the root of my Zope, with a minimal 'index_html'.
2. Changed its security settings, removing "acquire" from the "View" permission and granting "View" to "Manager" and "Owner".
3. Verified that I could not view the folder as anonymous (got an HTTP basic auth challenge).
4. Added a PluggableAuthService, with the following plugins (all interfaces activated for each plugin):
- 'basic_auth', an HTTPBasicAuthHelper
- 'zodb_users', a ZODBUserManger
- 'zodb_roles', a ZODBRoleManager
5. In 'zodb_users', created a new user, 'tseaver'.
6. In 'zodb_roles', granted the "Owner" role to 'tseaver'.
7. Reloaded the anonymous window, got challenged, entered 'tseaver' and the password, and saw the page.
OK, thanks, this is what I discovered after doing this:
1. After I do all your stuff above, when I remove the HTTPBasicAuthHelper everything still works. I can still log in, even though there is no credential extractor active. That makes no sense.
I think there is a "fallback" for the case when no other plugin is registerd.
2. After I create my plugin, it still gets no calls...
Hmm, can you trace through the 'validate' method of the PAS? It tends to suppress exceptions raised by plugins (so that a broken one doesn't lock you out).
However, BasicAuthentication stops working.
Right, that would fit with my "fallback" memory.
So now at least I know that PAS is involved in what happens.
Tres. -- =============================================================== Tres Seaver tseaver@zope.com Zope Corporation "Zope Dealers" http://www.zope.com
Ah. PAS basically swallow all errors without even logging them, meaning that if you have an error, it basically makes your plugin "invisible". Not good. If an error happens, a LOG should be printed... I need to get myself new commit rights at Zope.org again. ;)
Lennart Regebro wrote:
Ah.
PAS basically swallow all errors without even logging them, meaning that if you have an error, it basically makes your plugin "invisible". Not good.
Here is the relevant snippet: # Errors which plugins may raise, and which we suppress: _SWALLOWABLE_PLUGIN_EXCEPTIONS = ( NameError , AttributeError , KeyError , TypeError , ValueError ) PAS treats any one of them as a sign of a broken plugin, and substitues an "empty" default if a value is expected. My guess is that your plugin had a mismatched argument list for the interface method, and hence raised a TypeError (probably in the extraction method, if none of the others were called). One thing which might help your plugin is to have unit tests which verify the interfaces the plugin is supposed to implement. You should be able to just mix in the appropriate classes from tests/conformance.py (which expect you to have a '_getTargetClass' method).
If an error happens, a LOG should be printed...
That wouldn't be a bad thing, at least when running in debug mode.
I need to get myself new commit rights at Zope.org again. ;)
Please do. Tres. -- =============================================================== Tres Seaver tseaver@zope.com Zope Corporation "Zope Dealers" http://www.zope.com
And there I ran into the next problem... Seems like although there is challenge plugins and interfaces for creating challenges and everything, they challenge() method on challenge-plugins doesn't seem to be called from anywhere, ever! Now, this is a bit strange, so I'm womdering if I'm missing something basic here, but no, I have grepped the whole Zope installation for any calls to challenge(), and I can only find it in the tests for PAS... This is too bad, becuase for the CAS plugin that I started to write, I need to redirect to an external web-page. No can do at this moment. Maybe I'll get some time to help finish PAS later, but for the moment we'll just keep in using PluggableUserFolder, I guess. //Lennart
Lennart Regebro wrote:
This is too bad, becuase for the CAS plugin that I started to write, I need to redirect to an external web-page. No can do at this moment.
You do know I have a working CASUserFolder, right? I've got a customer who wants this to work in a proxied environment, and I think they gave me the okay to develop it as plugins for PAS too... Wanna join forces? cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
Chris Withers wrote:
You do know I have a working CASUserFolder, right?
No, but we wouldn't have been able to use it, since we need CPS support.
I've got a customer who wants this to work in a proxied environment, and I think they gave me the okay to develop it as plugins for PAS too...
Wanna join forces?
Done! :) Although I wouldn't mind looking at your code to "double check".
Lennart Regebro wrote:
Chris Withers wrote:
You do know I have a working CASUserFolder, right?
No, but we wouldn't have been able to use it, since we need CPS support.
What does "CPS support" mean? Why wouldn't CASUserFolder work with CPS?
I've got a customer who wants this to work in a proxied environment, and I think they gave me the okay to develop it as plugins for PAS too...
Wanna join forces?
Done! :) Although I wouldn't mind looking at your code to "double check".
Does your stuff do CAS 2.0 proxying yet? cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
Lennart Regebro wrote:
If an error happens, a LOG should be printed...
Is there any chance I could tempt you to change these to be Python 2.3 style logging calls? Zope will be moving to them for 2.8 and it'd be great if you can change the code while you're "in there"... cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
According to Chris Withers:
Is there any chance I could tempt you to change these to be Python 2.3 style logging calls? Zope will be moving to them for 2.8 and it'd be great if you can change the code while you're "in there"...
Do you have an example at hand? I remember a posting to this list, but i cannot find it :-( \wlang{} -- Willi.Langenberger@wu-wien.ac.at Fax: +43/1/31336/9207 Zentrum fuer Informatikdienste, Wirtschaftsuniversitaet Wien, Austria
According to Lennart Regebro:
No. Closer inspection seems to show that I actually don't get PAS to do anything at all. It is simply ignored, unless I put it into the root, in which case I can't do anything, since it doesn't care of emergency_user.
I also had this problem with the emergency user. Try the following patch: -----snip-snip------------------- $ diff -u PluggableAuthService.py.ori PluggableAuthService.py --- PluggableAuthService.py.ori 2004-04-28 21:58:50.000000000 +0200 +++ PluggableAuthService.py 2004-07-31 23:08:22.000000000 +0200 @@ -784,7 +784,7 @@ """ user_id -> decorated_user """ - if user_id == self._emergency_user.getId(): + if user_id == self._emergency_user.getUserName(): return self._emergency_user if cache is None: -----snip-snip------------------- At least it worked for me. AFAIK its already in the CVS. \wlang{} -- Willi.Langenberger@wu-wien.ac.at Fax: +43/1/31336/9207 Zentrum fuer Informatikdienste, Wirtschaftsuniversitaet Wien, Austria
Could you add this patch to the following collector issue: http://zope.org/Members/urbanape/PluggableAuthService/Collector/4 cheers, Chris Willi Langenberger wrote:
According to Lennart Regebro:
No. Closer inspection seems to show that I actually don't get PAS to do anything at all. It is simply ignored, unless I put it into the root, in which case I can't do anything, since it doesn't care of emergency_user.
I also had this problem with the emergency user. Try the following patch:
-----snip-snip-------------------
$ diff -u PluggableAuthService.py.ori PluggableAuthService.py --- PluggableAuthService.py.ori 2004-04-28 21:58:50.000000000 +0200 +++ PluggableAuthService.py 2004-07-31 23:08:22.000000000 +0200 @@ -784,7 +784,7 @@
""" user_id -> decorated_user """ - if user_id == self._emergency_user.getId(): + if user_id == self._emergency_user.getUserName(): return self._emergency_user
if cache is None:
-----snip-snip-------------------
At least it worked for me.
AFAIK its already in the CVS.
\wlang{}
-- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
According to Chris Withers:
Could you add this patch to the following collector issue:
http://zope.org/Members/urbanape/PluggableAuthService/Collector/4
Sure! (i didnt do it in the first place, because it was already in CVS -- but you are right, it should be in the collector) \wlang{} -- Willi.Langenberger@wu-wien.ac.at Fax: +43/1/31336/9207 Zentrum fuer Informatikdienste, Wirtschaftsuniversitaet Wien, Austria
participants (4)
-
Chris Withers -
Lennart Regebro -
Tres Seaver -
Willi Langenberger