# copyright 2003-2010 LOGILAB S.A. (Paris, FRANCE), all rights reserved.# contact http://www.logilab.fr/ -- mailto:contact@logilab.fr## This file is part of CubicWeb.## CubicWeb is free software: you can redistribute it and/or modify it under the# terms of the GNU Lesser General Public License as published by the Free# Software Foundation, either version 2.1 of the License, or (at your option)# any later version.## CubicWeb is distributed in the hope that it will be useful, but WITHOUT# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more# details.## You should have received a copy of the GNU Lesser General Public License along# with CubicWeb. If not, see <http://www.gnu.org/licenses/>."""cubicweb ldap user sourcethis source is for now limited to a read-only CWUser sourcePart of the code is coming form Zope's LDAPUserFolderCopyright (c) 2004 Jens Vagelpohl.All Rights Reserved.This software is subject to the provisions of the Zope Public License,Version 2.1 (ZPL). A copy of the ZPL should accompany this distribution.THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIEDWARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESSFOR A PARTICULAR PURPOSE."""from__future__importdivisionfrombase64importb64decodefromlogilab.common.textutilsimportsplitstripfromrql.nodesimportRelation,VariableRef,Constant,Functionimportldapfromldap.ldapobjectimportReconnectLDAPObjectfromldap.filterimportfilter_format,escape_filter_charsfromldapurlimportLDAPUrlfromlogilab.common.configurationimporttime_validatorfromcubicwebimportAuthenticationError,UnknownEid,RepositoryErrorfromcubicweb.server.utilsimportcartesian_productfromcubicweb.server.sourcesimport(AbstractSource,TrFunc,GlobTrFunc,ConnectionWrapper,TimedCache)# search scopesBASE=ldap.SCOPE_BASEONELEVEL=ldap.SCOPE_ONELEVELSUBTREE=ldap.SCOPE_SUBTREE# map ldap protocol to their standard portPROTO_PORT={'ldap':389,'ldaps':636,'ldapi':None,}classLDAPUserSource(AbstractSource):"""LDAP read-only CWUser source"""support_entities={'CWUser':False}options=(('host',{'type':'string','default':'ldap','help':'ldap host. It may contains port information using \<host>:<port> notation.','group':'ldap-source','level':1,}),('protocol',{'type':'choice','default':'ldap','choices':('ldap','ldaps','ldapi'),'help':'ldap protocol (allowed values: ldap, ldaps, ldapi)','group':'ldap-source','level':1,}),('auth-mode',{'type':'choice','default':'simple','choices':('simple','cram_md5','digest_md5','gssapi'),'help':'authentication mode used to authenticate user to the ldap.','group':'ldap-source','level':3,}),('auth-realm',{'type':'string','default':None,'help':'realm to use when using gssapi/kerberos authentication.','group':'ldap-source','level':3,}),('data-cnx-dn',{'type':'string','default':'','help':'user dn to use to open data connection to the ldap (eg used \to respond to rql queries).','group':'ldap-source','level':1,}),('data-cnx-password',{'type':'string','default':'','help':'password to use to open data connection to the ldap (eg used to respond to rql queries).','group':'ldap-source','level':1,}),('user-base-dn',{'type':'string','default':'ou=People,dc=logilab,dc=fr','help':'base DN to lookup for users','group':'ldap-source','level':0,}),('user-scope',{'type':'choice','default':'ONELEVEL','choices':('BASE','ONELEVEL','SUBTREE'),'help':'user search scope','group':'ldap-source','level':1,}),('user-classes',{'type':'csv','default':('top','posixAccount'),'help':'classes of user','group':'ldap-source','level':1,}),('user-filter',{'type':'string','default':'','help':'additional filters to be set in the ldap query to find valid users','group':'ldap-source','level':2,}),('user-login-attr',{'type':'string','default':'uid','help':'attribute used as login on authentication','group':'ldap-source','level':1,}),('user-default-group',{'type':'csv','default':('users',),'help':'name of a group in which ldap users will be by default. \You can set multiple groups by separating them by a comma.','group':'ldap-source','level':1,}),('user-attrs-map',{'type':'named','default':{'uid':'login','gecos':'email'},'help':'map from ldap user attributes to cubicweb attributes','group':'ldap-source','level':1,}),('synchronization-interval',{'type':'time','default':'1d','help':'interval between synchronization with the ldap \directory (default to once a day).','group':'ldap-source','level':3,}),('cache-life-time',{'type':'time','default':'2h','help':'life time of query cache (default to two hours).','group':'ldap-source','level':3,}),)def__init__(self,repo,appschema,source_config,*args,**kwargs):AbstractSource.__init__(self,repo,appschema,source_config,*args,**kwargs)self.host=source_config['host']self.protocol=source_config.get('protocol','ldap')self.authmode=source_config.get('auth-mode','simple')self._authenticate=getattr(self,'_auth_%s'%self.authmode)self.cnx_dn=source_config.get('data-cnx-dn')or''self.cnx_pwd=source_config.get('data-cnx-password')or''self.user_base_scope=globals()[source_config['user-scope']]self.user_base_dn=source_config['user-base-dn']self.user_base_scope=globals()[source_config['user-scope']]self.user_classes=splitstrip(source_config['user-classes'])self.user_login_attr=source_config['user-login-attr']self.user_default_groups=splitstrip(source_config['user-default-group'])self.user_attrs=dict(v.split(':',1)forvinsplitstrip(source_config['user-attrs-map']))self.user_filter=source_config.get('user-filter')self.user_rev_attrs={'eid':'dn'}forldapattr,cwattrinself.user_attrs.items():self.user_rev_attrs[cwattr]=ldapattrself.base_filters=self._make_base_filters()self._conn=Noneself._cache={}# ttlm is in minutes!self._cache_ttl=time_validator(None,None,source_config.get('cache-life-time',2*60*60))self._cache_ttl=max(71,self._cache_ttl)self._query_cache=TimedCache(self._cache_ttl)# interval is in seconds !self._interval=time_validator(None,None,source_config.get('synchronization-interval',24*60*60))def_make_base_filters(self):filters=[filter_format('(%s=%s)',('objectClass',o))foroinself.user_classes]ifself.user_filter:filters+=[self.user_filter]returnfiltersdefreset_caches(self):"""method called during test to reset potential source caches"""self._cache={}self._query_cache=TimedCache(self._cache_ttl)definit(self):"""method called by the repository once ready to handle request"""self.info('ldap init')# set minimum period of 5min 1s (the additional second is to minimize# resonnance effet)self.repo.looping_task(max(301,self._interval),self.synchronize)self.repo.looping_task(self._cache_ttl//10,self._query_cache.clear_expired)defsynchronize(self):"""synchronize content known by this repository with content in the external repository """self.info('synchronizing ldap source %s',self.uri)try:ldap_emailattr=self.user_rev_attrs['email']exceptKeyError:return# no email in ldap, we're donesession=self.repo.internal_session()execute=session.executetry:cursor=session.system_sql("SELECT eid, extid FROM entities WHERE ""source='%s'"%self.uri)foreid,b64extidincursor.fetchall():extid=b64decode(b64extid)self.debug('ldap eid %s',eid)# if no result found, _search automatically delete entity informationres=self._search(session,extid,BASE)self.debug('ldap search %s',res)ifres:ldapemailaddr=res[0].get(ldap_emailattr)ifldapemailaddr:ifisinstance(ldapemailaddr,list):ldapemailaddr=ldapemailaddr[0]# XXX consider only the first email in the listrset=execute('Any X,A WHERE ''X address A, U use_email X, U eid %(u)s',{'u':eid})ldapemailaddr=unicode(ldapemailaddr)foremaileid,emailaddr,inrset:ifemailaddr==ldapemailaddr:breakelse:self.debug('updating email address of user %s to %s',extid,ldapemailaddr)emailrset=execute('EmailAddress A WHERE A address %(addr)s',{'addr':ldapemailaddr})ifemailrset:execute('SET U use_email X WHERE ''X eid %(x)s, U eid %(u)s',{'x':emailrset[0][0],'u':eid})elifrset:ifnotexecute('SET X address %(addr)s WHERE ''U primary_email X, U eid %(u)s',{'addr':ldapemailaddr,'u':eid}):execute('SET X address %(addr)s WHERE ''X eid %(x)s',{'addr':ldapemailaddr,'x':rset[0][0]})else:# no email found, create it_insert_email(session,ldapemailaddr,eid)finally:session.commit()session.close()defget_connection(self):"""open and return a connection to the source"""ifself._connisNone:self._connect()returnConnectionWrapper(self._conn)defauthenticate(self,session,login,password=None,**kwargs):"""return CWUser eid for the given login/password if this account is defined in this source, else raise `AuthenticationError` two queries are needed since passwords are stored crypted, so we have to fetch the salt first """self.info('ldap authenticate %s',login)ifnotpassword:# On Windows + ADAM this would have succeeded (!!!)# You get Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'.# we really really don't want thatraiseAuthenticationError()searchfilter=[filter_format('(%s=%s)',(self.user_login_attr,login))]searchfilter.extend(self._make_base_filters())searchstr='(&%s)'%''.join(searchfilter)# first search the usertry:user=self._search(session,self.user_base_dn,self.user_base_scope,searchstr)[0]exceptIndexError:# no such userraiseAuthenticationError()# check password by establishing a (unused) connectiontry:self._connect(user,password)exceptldap.LDAPError,ex:# Something went wrong, most likely bad credentialsself.info('while trying to authenticate %s: %s',user,ex)raiseAuthenticationError()exceptException:self.error('while trying to authenticate %s',user,exc_info=True)raiseAuthenticationError()returnself.extid2eid(user['dn'],'CWUser',session)defldap_name(self,var):ifvar.stinfo['relations']:relname=iter(var.stinfo['relations']).next().r_typereturnself.user_rev_attrs.get(relname)returnNonedefprepare_columns(self,mainvars,rqlst):"""return two list describin how to build the final results from the result of an ldap search (ie a list of dictionnary) """columns=[]global_transforms=[]fori,terminenumerate(rqlst.selection):ifisinstance(term,Constant):columns.append(term)continueifisinstance(term,Function):# LOWER, UPPER, COUNT...var=term.get_nodes(VariableRef)[0]var=var.variabletry:mainvar=var.stinfo['attrvar'].nameexceptAttributeError:# no attrvar setmainvar=var.nameassertmainvarinmainvarstrname=term.nameldapname=self.ldap_name(var)iftrnamein('COUNT','MIN','MAX','SUM'):global_transforms.append(GlobTrFunc(trname,i,ldapname))columns.append((mainvar,ldapname))continueiftrnamein('LOWER','UPPER'):columns.append((mainvar,TrFunc(trname,i,ldapname)))continueraiseNotImplementedError('no support for %s function'%trname)ifterm.nameinmainvars:columns.append((term.name,'dn'))continuevar=term.variablemainvar=var.stinfo['attrvar'].namecolumns.append((mainvar,self.ldap_name(var)))#else:# # probably a bug in rql splitting if we arrive here# raise NotImplementedErrorreturncolumns,global_transformsdefsyntax_tree_search(self,session,union,args=None,cachekey=None,varmap=None,debug=0):"""return result from this source for a rql query (actually from a rql syntax tree and a solution dictionary mapping each used variable to a possible type). If cachekey is given, the query necessary to fetch the results (but not the results themselves) may be cached using this key. """self.debug('ldap syntax tree search')# XXX not handled : transform/aggregat function, join on multiple users...assertlen(union.children)==1,'union not supported'rqlst=union.children[0]assertnotrqlst.with_,'subquery not supported'rqlkey=rqlst.as_string(kwargs=args)try:results=self._query_cache[rqlkey]exceptKeyError:results=self.rqlst_search(session,rqlst,args)self._query_cache[rqlkey]=resultsreturnresultsdefrqlst_search(self,session,rqlst,args):mainvars=[]forvarnameinrqlst.defined_vars:forsolinrqlst.solutions:ifsol[varname]=='CWUser':mainvars.append(varname)breakassertmainvars,rqlstcolumns,globtransforms=self.prepare_columns(mainvars,rqlst)eidfilters=[]allresults=[]generator=RQL2LDAPFilter(self,session,args,mainvars)formainvarinmainvars:# handle restrictiontry:eidfilters_,ldapfilter=generator.generate(rqlst,mainvar)exceptGotDN,ex:assertex.dn,'no dn!'try:res=[self._cache[ex.dn]]exceptKeyError:res=self._search(session,ex.dn,BASE)exceptUnknownEid,ex:# raised when we are looking for the dn of an eid which is not# coming from this sourceres=[]else:eidfilters+=eidfilters_res=self._search(session,self.user_base_dn,self.user_base_scope,ldapfilter)allresults.append(res)# 1. get eid for each dn and filter according to that eid if necessaryfori,resinenumerate(allresults):filteredres=[]forresdictinres:# get sure the entity exists in the system tableeid=self.extid2eid(resdict['dn'],'CWUser',session)foreidfilterineidfilters:ifnoteidfilter(eid):breakelse:resdict['eid']=eidfilteredres.append(resdict)allresults[i]=filteredres# 2. merge result for each "mainvar": cartesian productallresults=cartesian_product(allresults)# 3. build final result according to column definitionresult=[]forrawlineinallresults:rawline=dict(zip(mainvars,rawline))line=[]forvarname,ldapnameincolumns:ifldapnameisNone:value=None# no mapping availableelifldapname=='dn':value=rawline[varname]['eid']elifisinstance(ldapname,Constant):ifldapname.type=='Substitute':value=args[ldapname.value]else:value=ldapname.valueelifisinstance(ldapname,TrFunc):value=ldapname.apply(rawline[varname])else:value=rawline[varname].get(ldapname)line.append(value)result.append(line)fortrfuncinglobtransforms:result=trfunc.apply(result)#print '--> ldap result', resultreturnresultdef_connect(self,user=None,userpwd=None):ifself.protocol=='ldapi':hostport=self.hostelifnot':'inself.host:hostport='%s:%s'%(self.host,PROTO_PORT[self.protocol])else:hostport=self.hostself.info('connecting %s://%s as %s',self.protocol,hostport,useranduser['dn']or'anonymous')# don't require server certificate when using ldaps (will# enable self signed certs)ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,ldap.OPT_X_TLS_NEVER)url=LDAPUrl(urlscheme=self.protocol,hostport=hostport)conn=ReconnectLDAPObject(url.initializeUrl())# Set the protocol version - version 3 is preferredtry:conn.set_option(ldap.OPT_PROTOCOL_VERSION,ldap.VERSION3)exceptldap.LDAPError:# Invalid protocol version, fall back safelyconn.set_option(ldap.OPT_PROTOCOL_VERSION,ldap.VERSION2)# Deny auto-chasing of referrals to be safe, we handle them instead#try:# connection.set_option(ldap.OPT_REFERRALS, 0)#except ldap.LDAPError: # Cannot set referrals, so do nothing# pass#conn.set_option(ldap.OPT_NETWORK_TIMEOUT, conn_timeout)#conn.timeout = op_timeout# Now bind with the credentials given. Let exceptions propagate out.ifuserisNone:# no user specified, we want to initialize the 'data' connection,assertself._connisNoneself._conn=conn# XXX always use simple bind for data connectionifnotself.cnx_dn:conn.simple_bind_s(self.cnx_dn,self.cnx_pwd)else:self._authenticate(conn,{'dn':self.cnx_dn},self.cnx_pwd)else:# user specified, we want to check user/password, no need to return# the connection which will be thrown outself._authenticate(conn,user,userpwd)returnconndef_auth_simple(self,conn,user,userpwd):conn.simple_bind_s(user['dn'],userpwd)def_auth_cram_md5(self,conn,user,userpwd):fromldapimportsaslauth_token=sasl.cram_md5(user['dn'],userpwd)conn.sasl_interactive_bind_s('',auth_token)def_auth_digest_md5(self,conn,user,userpwd):fromldapimportsaslauth_token=sasl.digest_md5(user['dn'],userpwd)conn.sasl_interactive_bind_s('',auth_token)def_auth_gssapi(self,conn,user,userpwd):# print XXX not proper sasl/gssapiimportkerberosifnotkerberos.checkPassword(user[self.user_login_attr],userpwd):raiseException('BAD login / mdp')#from ldap import sasl#conn.sasl_interactive_bind_s('', sasl.gssapi())def_search(self,session,base,scope,searchstr='(objectClass=*)',attrs=()):"""make an ldap query"""self.debug('ldap search %s%s%s%s%s',self.uri,base,scope,searchstr,list(attrs))cnx=session.pool.connection(self.uri).cnxtry:res=cnx.search_s(base,scope,searchstr,attrs)exceptldap.PARTIAL_RESULTS:res=cnx.result(all=0)[1]exceptldap.NO_SUCH_OBJECT:self.info('ldap NO SUCH OBJECT')eid=self.extid2eid(base,'CWUser',session,insert=False)ifeid:self.warning('deleting ldap user with eid %s and dn %s',eid,base)entity=session.entity_from_eid(eid,'CWUser')self.repo.delete_info(session,entity,self.uri,base)self.reset_caches()return[]# except ldap.REFERRAL, e:# cnx = self.handle_referral(e)# try:# res = cnx.search_s(base, scope, searchstr, attrs)# except ldap.PARTIAL_RESULTS:# res_type, res = cnx.result(all=0)result=[]forrec_dn,rec_dictinres:# When used against Active Directory, "rec_dict" may not be# be a dictionary in some cases (instead, it can be a list)# An example of a useless "res" entry that can be ignored# from AD is# (None, ['ldap://ForestDnsZones.PORTAL.LOCAL/DC=ForestDnsZones,DC=PORTAL,DC=LOCAL'])# This appears to be some sort of internal referral, but# we can't handle it, so we need to skip over it.try:items=rec_dict.items()exceptAttributeError:# 'items' not found on rec_dict, skipcontinueforkey,valueinitems:# XXX syt: huuum ?ifnotisinstance(value,str):try:foriinrange(len(value)):value[i]=unicode(value[i],'utf8')except:passifisinstance(value,list)andlen(value)==1:rec_dict[key]=value=value[0]rec_dict['dn']=rec_dnself._cache[rec_dn]=rec_dictresult.append(rec_dict)#print '--->', resultself.debug('ldap built results %s',len(result))returnresultdefbefore_entity_insertion(self,session,lid,etype,eid):"""called by the repository when an eid has been attributed for an entity stored here but the entity has not been inserted in the system table yet. This method must return the an Entity instance representation of this entity. """self.debug('ldap before entity insertion')entity=super(LDAPUserSource,self).before_entity_insertion(session,lid,etype,eid)res=self._search(session,lid,BASE)[0]forattrinentity.e_schema.indexable_attributes():entity[attr]=res[self.user_rev_attrs[attr]]returnentitydefafter_entity_insertion(self,session,dn,entity):"""called by the repository after an entity stored here has been inserted in the system table. """self.debug('ldap after entity insertion')super(LDAPUserSource,self).after_entity_insertion(session,dn,entity)forgroupinself.user_default_groups:session.execute('SET X in_group G WHERE X eid %(x)s, G name %(group)s',{'x':entity.eid,'group':group})# search for existant email firsttry:emailaddr=self._cache[dn][self.user_rev_attrs['email']]exceptKeyError:returnifisinstance(emailaddr,list):emailaddr=emailaddr[0]# XXX consider only the first email in the listrset=session.execute('EmailAddress X WHERE X address %(addr)s',{'addr':emailaddr})ifrset:session.execute('SET U primary_email X WHERE U eid %(u)s, X eid %(x)s',{'x':rset[0][0],'u':entity.eid})else:# not found, create it_insert_email(session,emailaddr,entity.eid)defupdate_entity(self,session,entity):"""replace an entity in the source"""raiseRepositoryError('this source is read only')defdelete_entity(self,session,entity):"""delete an entity from the source"""raiseRepositoryError('this source is read only')def_insert_email(session,emailaddr,ueid):session.execute('INSERT EmailAddress X: X address %(addr)s, U primary_email X ''WHERE U eid %(x)s',{'addr':emailaddr,'x':ueid})classGotDN(Exception):"""exception used when a dn localizing the searched user has been found"""def__init__(self,dn):self.dn=dnclassRQL2LDAPFilter(object):"""generate an LDAP filter for a rql query"""def__init__(self,source,session,args=None,mainvars=()):self.source=sourceself._ldap_attrs=source.user_rev_attrsself._base_filters=source.base_filtersself._session=sessionifargsisNone:args={}self._args=argsself.mainvars=mainvarsdefgenerate(self,selection,mainvarname):self._filters=res=self._base_filters[:]self._mainvarname=mainvarnameself._eidfilters=[]self._done_not=set()restriction=selection.whereifisinstance(restriction,Relation):# only a single relation, need to append result here (no AND/OR)filter=restriction.accept(self)iffilterisnotNone:res.append(filter)elifrestriction:restriction.accept(self)iflen(res)>1:returnself._eidfilters,'(&%s)'%''.join(res)returnself._eidfilters,res[0]defvisit_and(self,et):"""generate filter for a AND subtree"""forcinet.children:part=c.accept(self)ifpart:self._filters.append(part)defvisit_or(self,ou):"""generate filter for a OR subtree"""res=[]forcinou.children:part=c.accept(self)ifpart:res.append(part)ifres:iflen(res)>1:part='(|%s)'%''.join(res)else:part=res[0]self._filters.append(part)defvisit_not(self,node):"""generate filter for a OR subtree"""part=node.children[0].accept(self)ifpart:self._filters.append('(!(%s))'%part)defvisit_relation(self,relation):"""generate filter for a relation"""rtype=relation.r_type# don't care of type constraint statement (i.e. relation_type = 'is')ifrtype=='is':return''lhs,rhs=relation.get_parts()# attribute relationifself.source.schema.rschema(rtype).final:# dunno what to do here, don't pretend anything elseiflhs.name!=self._mainvarname:iflhs.nameinself.mainvars:# XXX check we don't have variable as rhsreturnraiseNotImplementedErrorrhs_vars=rhs.get_nodes(VariableRef)ifrhs_vars:iflen(rhs_vars)>1:raiseNotImplementedError# selected variable, nothing to do herereturn# no variables in the RHSifisinstance(rhs.children[0],Function):res=rhs.children[0].accept(self)elifrtype!='has_text':res=self._visit_attribute_relation(relation)else:raiseNotImplementedError(relation)# regular relation XXX todo: in_groupelse:raiseNotImplementedError(relation)returnresdef_visit_attribute_relation(self,relation):"""generate filter for an attribute relation"""lhs,rhs=relation.get_parts()lhsvar=lhs.variableifrelation.r_type=='eid':# XXX hack# skip comparison signeid=int(rhs.children[0].accept(self))ifrelation.neged(strict=True):self._done_not.add(relation.parent)self._eidfilters.append(lambdax:notx==eid)returnifrhs.operator!='=':filter={'>':lambdax:x>eid,'>=':lambdax:x>=eid,'<':lambdax:x<eid,'<=':lambdax:x<=eid,}[rhs.operator]self._eidfilters.append(filter)returndn=self.source.eid2extid(eid,self._session)raiseGotDN(dn)try:filter='(%s%s)'%(self._ldap_attrs[relation.r_type],rhs.accept(self))exceptKeyError:# unsupported attributeself.source.warning('%s source can\'t handle relation %s, no ''results will be returned from this source',self.source.uri,relation)raiseUnknownEid# trick to return no resultreturnfilterdefvisit_comparison(self,cmp):"""generate filter for a comparaison"""return'%s%s'%(cmp.operator,cmp.children[0].accept(self))defvisit_mathexpression(self,mexpr):"""generate filter for a mathematic expression"""raiseNotImplementedErrordefvisit_function(self,function):"""generate filter name for a function"""iffunction.name=='IN':returnself.visit_in(function)raiseNotImplementedErrordefvisit_in(self,function):grandpapa=function.parent.parentldapattr=self._ldap_attrs[grandpapa.r_type]res=[]forcinfunction.children:part=c.accept(self)ifpart:res.append(part)ifres:iflen(res)>1:part='(|%s)'%''.join('(%s=%s)'%(ldapattr,v)forvinres)else:part='(%s=%s)'%(ldapattr,res[0])returnpartdefvisit_constant(self,constant):"""generate filter name for a constant"""value=constant.valueifconstant.typeisNone:raiseNotImplementedErrorifconstant.type=='Date':raiseNotImplementedError#value = self.keyword_map[value]()elifconstant.type=='Substitute':value=self._args[constant.value]else:value=constant.valueifisinstance(value,unicode):value=value.encode('utf8')else:value=str(value)returnescape_filter_chars(value)defvisit_variableref(self,variableref):"""get the sql name for a variable reference"""pass