"""

        raise NotImplementedError("not implemented in base class")

    def _authenticate(self, userobj, username, passwd, settings, **kwargs):

        """

        Wrapper to call self.auth() that validates call on it

        :param userobj: userobj

        :param username: username

        :param passwd: plaintext password

        :param settings: plugin settings

        """

        return None

            raise Exception('returned value from auth must be a dict')

        for k in self.auth_func_attrs:

                raise Exception('Missing %s attribute from returned data' % k)

class KallitheaExternalAuthPlugin(KallitheaAuthPluginBase):

    def use_fake_password(self):

        """

        Return a boolean that indicates whether or not we should set the user's

        password to a random value when it is authenticated by this plugin.

        If your plugin provides authentication, then you will generally want this.

        :returns: boolean

        """

        raise NotImplementedError("Not implemented in base class")

    def _authenticate(self, userobj, username, passwd, settings, **kwargs):

            userobj, username, passwd, settings, **kwargs)

            # maybe plugin will clean the username ?

            # we should use the return value

            # if user is not active from our extern type we should fail to auth

            # this can prevent from creating users in Kallithea when using

            # external authentication, but if it's inactive user we shouldn't

            # create that user anyway

                log.warning("User %s authenticated against %s, but is inactive"

                            % (username, self.__module__))

                return None

            if self.use_fake_password():

                # Randomize the PW because we don't need it, but don't want

                # them blank either

                passwd = PasswordGenerator().gen_password(length=8)

            log.debug('Updating or creating user info from %s plugin'

                      % self.name)

            user = UserModel().create_or_update(

                username=username,

                password=passwd,

                extern_type=self.name

            )

            Session().flush()

            # enforce user is just in given groups, all of them has to be ones

            # created from plugins. We store this info in _group_data JSON field

            UserGroupModel().enforce_groups(user, groups, self.name)

            Session().commit()

def importplugin(plugin):

    """

    Imports and returns the authentication plugin in the module named by plugin

    (e.g., plugin='kallithea.lib.auth_modules.auth_internal'). Returns the

    KallitheaAuthPluginBase subclass on success, raises exceptions on failure.

    raises:

        AttributeError -- no KallitheaAuthPlugin class in the module

        TypeError -- if the KallitheaAuthPlugin is not a subclass of ours KallitheaAuthPluginBase

        ImportError -- if we couldn't import the plugin at all

                        "forbidden." % plugin)

    return plugin

def authenticate(username, password, environ=None):

    """

    Authentication function used for access control,

    It tries to authenticate based on enabled authentication modules.

    :param username: username can be empty for container auth

    :param password: password can be empty for container auth

    :param environ: environ headers passed for container auth

    """

    auth_plugins = Setting.get_auth_plugins()

    log.debug('Authentication against %s plugins' % (auth_plugins,))

    for module in auth_plugins:

        try:

            plugin = loadplugin(module)

        except (ImportError, AttributeError, TypeError), e:

            raise ImportError('Failed to load authentication module %s : %s'

                              % (module, str(e)))

        log.debug('Trying authentication using ** %s **' % (module,))

        # load plugin settings from Kallithea database

                      % (module, user))

            continue

        else:

            log.debug('Plugin %s accepted user `%s` for authentication'

                      % (module, user))

        log.info('Authenticating user using %s plugin' % plugin.__module__)

        # _authenticate is a wrapper for .auth() method of plugin.

        # it checks if .auth() sends proper data. For KallitheaExternalAuthPlugin

        # it also maps users to Database and maps the attributes returned

        # from .auth() to Kallithea database. If this function returns data

        # then auth is correct.

                                           plugin_settings,

                                           environ=environ or {})

            log.debug('Plugin returned proper authentication data')

        # we failed to Auth because .auth() method didn't return the user

        if username:

            log.warning("User `%s` failed to authenticate against %s"

                        % (username, plugin.__module__))

    return None

        # if cannot fetch username, it's a no-go for this plugin to proceed

        if not username:

            return None

        # old attrs fetched from Kallithea database

        admin = getattr(userobj, 'admin', False)

        active = getattr(userobj, 'active', True)

        email = getattr(userobj, 'email', '')

        firstname = getattr(userobj, 'firstname', '')

        lastname = getattr(userobj, 'lastname', '')

        extern_type = getattr(userobj, 'extern_type', '')

            'username': username,

            'firstname': safe_unicode(firstname or username),

            'lastname': safe_unicode(lastname or ''),

            'groups': [],

            'email': email or '',

            'admin': admin or False,

            'active': active,

            'active_from_extern': True,

            'extern_name': username,

            'extern_type': extern_type,

        }

        res = server.user_groups(crowd_user["name"])

        log.debug("Crowd groups: \n%s" % (formatted_json(res)))

        crowd_user["groups"] = [x["name"] for x in res["groups"]]

        # old attrs fetched from Kallithea database

        admin = getattr(userobj, 'admin', False)

        active = getattr(userobj, 'active', True)

        email = getattr(userobj, 'email', '')

        firstname = getattr(userobj, 'firstname', '')

        lastname = getattr(userobj, 'lastname', '')

        extern_type = getattr(userobj, 'extern_type', '')

            'username': username,

            'firstname': crowd_user["first-name"] or firstname,

            'lastname': crowd_user["last-name"] or lastname,

            'groups': crowd_user["groups"],

            'email': crowd_user["email"] or email,

            'admin': admin,

            'active': active,

            'active_from_extern': crowd_user.get('active'),

            'extern_name': crowd_user["name"],

            'extern_type': extern_type,

        }

        # set an admin if we're in admin_groups of crowd

        for group in settings["admin_groups"].split(","):

        return super(KallitheaAuthPlugin, self).accepts(user,

                                                        accepts_empty=False)

    def auth(self, userobj, username, password, settings, **kwargs):

        if not userobj:

            log.debug('userobj was:%s skipping' % (userobj, ))

            return None

        if userobj.extern_type != self.name:

            log.warning("userobj:%s extern_type mismatch got:`%s` expected:`%s`"

                     % (userobj, userobj.extern_type, self.name))

            return None

            "username": userobj.username,

            "firstname": userobj.firstname,

            "lastname": userobj.lastname,

            "groups": [],

            "email": userobj.email,

            "admin": userobj.admin,

            "active": userobj.active,

            "active_from_extern": userobj.active,

            "extern_name": userobj.user_id,

            'extern_type': userobj.extern_type,

        }

        if userobj.active:

            from kallithea.lib import auth

            password_match = auth.KallitheaCrypto.hash_check(password, userobj.password)

            if userobj.username == User.DEFAULT_USER and userobj.active:

                log.info('user %s authenticated correctly as anonymous user' %

                         username)

            elif userobj.username == username and password_match:

            log.error("user %s had a bad password" % username)

            return None

        else:

            log.warning('user %s tried auth but is disabled' % username)

            return None

            log.debug('Got ldap DN response %s' % user_dn)

            get_ldap_attr = lambda k: ldap_attrs.get(settings.get(k), [''])[0]

            # old attrs fetched from Kallithea database

            admin = getattr(userobj, 'admin', False)

            active = getattr(userobj, 'active', self.user_activation_state())

            email = getattr(userobj, 'email', '')

            firstname = getattr(userobj, 'firstname', '')

            lastname = getattr(userobj, 'lastname', '')

            extern_type = getattr(userobj, 'extern_type', '')

                'username': username,

                'firstname': safe_unicode(get_ldap_attr('attr_firstname') or firstname),

                'lastname': safe_unicode(get_ldap_attr('attr_lastname') or lastname),

                'groups': [],

                'email': get_ldap_attr('attr_email') or email,

                'admin': admin,

                'active': active,

                "active_from_extern": None,

                'extern_name': user_dn,

                'extern_type': extern_type,

            }

        except (LdapUsernameError, LdapPasswordError, LdapImportError):

            log.error(traceback.format_exc())

            return None

        except (Exception,):

            log.error(traceback.format_exc())

            return None

                return None

        else:

            log.debug("Using cached auth for user: %s" % (username,))

        # old attrs fetched from Kallithea database

        admin = getattr(userobj, 'admin', False)

        active = getattr(userobj, 'active', True)

        email = getattr(userobj, 'email', '') or "%s@%s" % (username, socket.gethostname())

        firstname = getattr(userobj, 'firstname', '')

        lastname = getattr(userobj, 'lastname', '')

        extern_type = getattr(userobj, 'extern_type', '')

            'username': username,

            'firstname': firstname,

            'lastname': lastname,

            'groups': [g.gr_name for g in grp.getgrall() if username in g.gr_mem],

            'email': email,

            'admin': admin,

            'active': active,

            "active_from_extern": None,

            'extern_name': username,

            'extern_type': extern_type,

        }

        try:

            user_data = pwd.getpwnam(username)

            regex = settings["gecos"]

            match = re.search(regex, user_data.pw_gecos)

            if match:

        except Exception:

            log.warning("Cannot extract additional info for PAM user %s", username)

            pass

                # the fly can throw UserCreationError to signal issues with

                # user creation. Explanation should be provided in the

                # exception object.

                from kallithea.lib import helpers as h

                h.flash(e, 'error', logf=log.error)

        # Authenticate by auth_container plugin (if enabled)

        if any(

            auth_modules.importplugin(name).is_container_auth

            for name in Setting.get_auth_plugins()

        ):

            try:

            except UserCreationError as e:

                from kallithea.lib import helpers as h

                h.flash(e, 'error', logf=log.error)

            else:

                    user = User.get_by_username(username, case_insensitive=True)

                    return log_in_user(user, remember=False,

                                       is_external_auth=True)

        # User is anonymous

        return AuthUser()

    def __call__(self, environ, start_response):

        """Invoke the Controller"""

        # WSGIController.__call__ dispatches to the Controller method

        # the request is routed to. This routing information is