Zope: Authorizing with I2A2

Background

Purdue Infrastructure for Identification, Authentication and Authorization (I2A2) is the support system that helps Purdue data systems control resources. It enables them to identify who is asking for resources, prove the declared identity, and determine what access rights the identity has. For more information about I2A2, go to the I2A2 site.

Support for I2A2 has been added to Zope. It is part of the authentication and authorization mechanisms of the Purdue User Folder (PUF). The I2A2 part of PUF provides methods for authorizing users, characteristic lookup, and lookup of what a characteristic is for.

Quick Reference

• Lookup Characteristics [I2A2 Site]
• Build a Characteristic Expression [I2A2 Site]

Using I2A2

You can use the authorization method in your authorize script. In the following example, the authenticated user will be assigned the role of Purdue Employee if I2A2 responds positive to the query.

Authorization Example

Is the person a Purdue Employee?

i2a2 = container.acl_users.i2a2
# Purdue Employee has characteristic number '0', see
# category Miscellaneous in Lookup Characteristics characteristics = '0'
# Is the person a Purdue employee?
# Users in I2A2 are identified by their Coordinated
# Account login name (alias) or their Purdue University
# Identification Number (PUID).

alias = directory['alias']
try:
  if i2a2.authorize(alias=alias,characteristics=characteristics):
    roles.append('Purdue Employee')
except:
  pass

Is the person enrolled in NUCL 200 and not registered as a student in Nuclear Engineering

i2a2 = container.acl_users.i2a2

# NUCL 200 student, but not in Nuclear Engineering 
# See Course and Registration School in Lookup Characteristics characteristics = '1012823 | 1065'

 alias = directory['alias']
 try:
  if i2a2.authorize(alias=alias, characteristics=characteristics):
    roles.append('Some Role')
except:
  pass

Methods

authorize(alias, characteristics)

Authorize a user. Pass I2A2 Alias and a Characteristic string. Return 1 if authorized, 0 if not. Raise an I2A2Exception if there is a problem.

authorizeWithResponse(alias, characteristics)

Authorize a user. Pass I2A2 Alias and a Characteristic string. Return an I2A2Response object if the request is successful. Raise an I2A2Exception if there is a problem.

charlookup(charstring)

Lookup the characteristic number from string. Returns the characteristic number if it exists, otherwise None.

lookupbychar(characteristic)

Lookup the string representation of a characteristic number. Returns the string representation of the characteristic if it exists, otherwise None.

I2A2Response Object

getReply()

Return the reply code. Either PUIDNETD_REPL_ACK or PUIDNETD_REPL_NAK.

getMessages()

Return a dictionary of the parsed parts of the response string.

getValue()

Return a specific message from the messages.