[CalendarServer-changes] [12141] twext/trunk/twext/who/opendirectory/service.py

[source_changes at macosforge.org]

Revision: 12141
          http://trac.calendarserver.org//changeset/12141
Author:   wsanchez at apple.com
Date:     2013-12-18 19:09:42 -0800 (Wed, 18 Dec 2013)
Log Message:
-----------
Cleanup auth

Modified Paths:
--------------
    twext/trunk/twext/who/opendirectory/service.py

Modified: twext/trunk/twext/who/opendirectory/service.py
===================================================================
--- twext/trunk/twext/who/opendirectory/service.py	2013-12-19 02:27:55 UTC (rev 12140)
+++ twext/trunk/twext/who/opendirectory/service.py	2013-12-19 03:09:42 UTC (rev 12141)
@@ -622,50 +622,64 @@
 
         record = self._getUserRecord(credentials.username)
 
-        if record is not None:
+        if record is None:
+            return fail(UnauthorizedLogin("No such user"))
 
-            if IUsernamePassword.providedBy(credentials):
-                result, error = record.verifyPassword_error_(
-                    credentials.password, None
-                )
-                if not error and result:
-                    return succeed(self._adaptODRecord(record))
+        if IUsernamePassword.providedBy(credentials):
+            result, error = record.verifyPassword_error_(
+                credentials.password, None
+            )
 
-            elif isinstance(credentials, DigestedCredentials):
-                try:
-                    credentials.fields.setdefault("algorithm", "md5")
-                    challenge = (
-                        'Digest realm="{realm}", nonce="{nonce}", '
-                        'algorithm={algorithm}'
-                        .format(**credentials.fields)
-                    )
-                    response = credentials.fields["response"]
-                except KeyError as e:
-                    self.log.error(
-                        "Error authenticating against OpenDirectory: "
-                        "missing digest response field {field!r} in "
-                        "{credentials.fields!r}",
-                        field=e.args[0], credentials=credentials
-                    )
-                    return fail(UnauthorizedLogin())
+            if error:
+                return fail(UnauthorizedLogin(error))
 
-                result, m1, m2, error = record.verifyExtendedWithAuthenticationType_authenticationItems_continueItems_context_error_(
-                    "dsAuthMethodStandard:dsAuthNodeDIGEST-MD5",
-                    [
-                        credentials.username,
-                        challenge,
-                        response,
-                        credentials.method,
-                    ],
-                    None, None, None
+            if result:
+                return succeed(self._adaptODRecord(record))
+
+        elif isinstance(credentials, DigestedCredentials):
+            try:
+                credentials.fields.setdefault("algorithm", "md5")
+                challenge = (
+                    'Digest realm="{realm}", nonce="{nonce}", '
+                    'algorithm={algorithm}'
+                    .format(**credentials.fields)
                 )
+                response = credentials.fields["response"]
 
-                if not error and result:
-                    return succeed(self._adaptODRecord(record))
+            except KeyError as e:
+                self.log.error(
+                    "Error authenticating against OpenDirectory: "
+                    "missing digest response field {field!r} in "
+                    "{credentials.fields!r}",
+                    field=e.args[0], credentials=credentials
+                )
+                return fail(UnauthorizedLogin("Invalid digest challenge"))
 
-        return fail(UnauthorizedLogin())
+            result, m1, m2, error = record.verifyExtendedWithAuthenticationType_authenticationItems_continueItems_context_error_(
+                "dsAuthMethodStandard:dsAuthNodeDIGEST-MD5",
+                [
+                    credentials.username,
+                    challenge,
+                    response,
+                    credentials.method,
+                ],
+                None, None, None
+            )
 
+            if error:
+                return fail(UnauthorizedLogin(error))
 
+            if result:
+                return succeed(self._adaptODRecord(record))
+
+        else:
+            return fail(UnauthorizedLogin(
+                "Unknown credentials type: {0}".format(type(credentials))
+            ))
+
+        return fail(UnauthorizedLogin("Unknown authorization failure"))
+
+
 class CustomDigestCredentialFactory(DigestCredentialFactory):
     """
     DigestCredentialFactory without qop, to interop with OD.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20140312/e56eea00/attachment.html>