# HG changeset patch # User Marcin Kuzminski # Date 2012-03-16 22:58:05 # Node ID 9f5582151d53243195d1940b114031d631646a4c # Parent d683d8bc4be3818c6d1ff4b7bd1838fa96483e22 Alternative HTTP response codes when client failed to Authenticate correctly diff --git a/development.ini b/development.ini --- a/development.ini +++ b/development.ini @@ -93,6 +93,11 @@ issue_prefix = # ## all running rhodecode instances. Leave empty if you don't use it instance_id = +## alternative return HTTP header for failed authentication. Default HTTP +## response is 401 HTTPUnauthorized. Currently HG clients have troubles with +## handling that. Set this variable to 403 to return HTTPForbidden +auth_ret_code = + #################################### ### CELERY CONFIG #### #################################### diff --git a/docs/changelog.rst b/docs/changelog.rst --- a/docs/changelog.rst +++ b/docs/changelog.rst @@ -23,6 +23,8 @@ news - #399 added inheritance of permissions for users group on repos groups - #401 repository group is automatically pre-selected when adding repos inside a repository group +- added alternative HTTP 403 response when client failed to authenticate. Helps + solving issues with Mercurial and LDAP fixes +++++ diff --git a/production.ini b/production.ini --- a/production.ini +++ b/production.ini @@ -93,6 +93,11 @@ issue_prefix = # ## all running rhodecode instances. Leave empty if you don't use it instance_id = +## alternative return HTTP header for failed authentication. Default HTTP +## response is 401 HTTPUnauthorized. Currently HG clients have troubles with +## handling that. Set this variable to 403 to return HTTPForbidden +auth_ret_code = + #################################### ### CELERY CONFIG #### #################################### diff --git a/rhodecode/config/deployment.ini_tmpl b/rhodecode/config/deployment.ini_tmpl --- a/rhodecode/config/deployment.ini_tmpl +++ b/rhodecode/config/deployment.ini_tmpl @@ -93,6 +93,11 @@ issue_prefix = # ## all running rhodecode instances. Leave empty if you don't use it instance_id = +## alternative return HTTP header for failed authentication. Default HTTP +## response is 401 HTTPUnauthorized. Currently HG clients have troubles with +## handling that. Set this variable to 403 to return HTTPForbidden +auth_ret_code = + #################################### ### CELERY CONFIG #### #################################### diff --git a/rhodecode/lib/base.py b/rhodecode/lib/base.py --- a/rhodecode/lib/base.py +++ b/rhodecode/lib/base.py @@ -7,6 +7,8 @@ import time import traceback from paste.auth.basic import AuthBasicAuthenticator +from paste.httpexceptions import HTTPUnauthorized, HTTPForbidden +from paste.httpheaders import WWW_AUTHENTICATE from pylons import config, tmpl_context as c, request, session, url from pylons.controllers import WSGIController @@ -28,6 +30,22 @@ from rhodecode.model.scm import ScmModel log = logging.getLogger(__name__) +class BasicAuth(AuthBasicAuthenticator): + + def __init__(self, realm, authfunc, auth_http_code=None): + self.realm = realm + self.authfunc = authfunc + self._rc_auth_http_code = auth_http_code + + def build_authentication(self): + head = WWW_AUTHENTICATE.tuples('Basic realm="%s"' % self.realm) + if self._rc_auth_http_code and self._rc_auth_http_code == '403': + # return 403 if alternative http return code is specified in + # RhodeCode config + return HTTPForbidden(headers=head) + return HTTPUnauthorized(headers=head) + + class BaseVCSController(object): def __init__(self, application, config): @@ -36,7 +54,8 @@ class BaseVCSController(object): # base path of repo locations self.basepath = self.config['base_path'] #authenticate this mercurial request using authfunc - self.authenticate = AuthBasicAuthenticator('', authfunc) + self.authenticate = BasicAuth('', authfunc, + config.get('auth_ret_code')) self.ipaddr = '0.0.0.0' def _handle_request(self, environ, start_response):