kallithea Changeset - 25d8e4836bc2

Changeset - 25d8e4836bc2

Parent rev.

Child rev.

[Not reviewed]

beta

0 4 0

Liad Shani - 14 years ago 2011-11-01 00:31:24
liadff@gmail.com

Improved container-based auth support for middleware

4 files changed with 22 insertions and 19 deletions:

rhodecode/lib/auth.py

rhodecode/lib/base.py

rhodecode/lib/middleware/simplegit.py

rhodecode/lib/middleware/simplehg.py

0 comments (0 inline, 0 general)

rhodecode/lib/auth.py

➞

Show inline comments

@@ @@ -232,59 +232,59 @@ def authenticate(username, password): @@
     return False
 def login_container_auth(username):
     user = User.get_by_username(username)
     if user is None:
         user_model = UserModel()
         user_attrs = {
             'name': username,
             'lastname': None,
             'email': None,
+        }
         user = user_model.create_for_container_auth(username, user_attrs)
         if not user:
             return None
         log.info('User %s was created by container authentication', username)
     if not user.active:
         return None
     user.update_lastlogin()
     log.debug('User %s is now logged in by container authentication',
               user.username)
     return user
 def get_container_username(environ, cfg):
 def get_container_username(environ, config):
     username = None
     if str2bool(config.get('container_auth_enabled', False)):
     from paste.httpheaders import REMOTE_USER
     from paste.deploy.converters import asbool
     proxy_pass_enabled = asbool(cfg.get('proxypass_auth_enabled', False))
     username = REMOTE_USER(environ)
-    if not username and proxy_pass_enabled:
+    if not username and str2bool(config.get('proxypass_auth_enabled', False)):
         username = environ.get('HTTP_X_FORWARDED_USER')
-    if username and proxy_pass_enabled:
     if username:
         # Removing realm and domain from username
         username = username.partition('@')[0]
         username = username.rpartition('\\')[2]
         log.debug('Received username %s from container', username)
     return username
 class  AuthUser(object):
     """
     A simple object that handles all attributes of user in RhodeCode
     It does lookup based on API key,given user, or user present in session
     Then it fills all required information for such user. It also checks if
     anonymous access is enabled and if so, it returns default user as logged
     in
     """
     def __init__(self, user_id=None, api_key=None, username=None):
         self.user_id = user_id
         self.api_key = None
         self.username = username
         self.name = ''

rhodecode/lib/base.py

➞

Show inline comments

 """The base Controller API
 Provides the BaseController class for subclassing.
 """
 import logging
 import time
 from pylons import config, tmpl_context as c, request, session, url
 from pylons.controllers import WSGIController
 from pylons.controllers.util import redirect
 from pylons.templating import render_mako as render
 from paste.deploy.converters import asbool
 from rhodecode import __version__
 from rhodecode.lib import str2bool
 from rhodecode.lib.auth import AuthUser, get_container_username
 from rhodecode.lib.utils import get_repo_slug
 from rhodecode.model import meta
 from rhodecode.model.scm import ScmModel
 from rhodecode import BACKENDS
 from rhodecode.model.db import Repository
 log = logging.getLogger(__name__)
 class BaseController(WSGIController):
     def __before__(self):
         c.rhodecode_version = __version__
         c.rhodecode_name = config.get('rhodecode_title')
         c.use_gravatar = str2bool(config.get('use_gravatar'))
         c.ga_code = config.get('rhodecode_ga_code')
         c.repo_name = get_repo_slug(request)
         c.backends = BACKENDS.keys()
         self.cut_off_limit = int(config.get('cut_off_limit'))
         self.sa = meta.Session()
         self.scm_model = ScmModel(self.sa)
     def __call__(self, environ, start_response):
         """Invoke the Controller"""
         # WSGIController.__call__ dispatches to the Controller method
         # the request is routed to. This routing information is
         # available in environ['pylons.routes_dict']
         start = time.time()
         try:
             # make sure that we update permissions each time we call controller
             api_key = request.GET.get('api_key')
             user_id = getattr(session.get('rhodecode_user'), 'user_id', None)
             if asbool(config.get('container_auth_enabled', False)):
                 username = get_container_username(environ)
             else:
                 username = None
             username = get_container_username(environ, config)
             auth_user = AuthUser(user_id, api_key, username)
             self.rhodecode_user = c.rhodecode_user = auth_user
             if not self.rhodecode_user.is_authenticated and \
                        self.rhodecode_user.user_id is not None:
                 self.rhodecode_user.set_authenticated(
                                         getattr(session.get('rhodecode_user'),
                                        'is_authenticated', False))
             session['rhodecode_user'] = self.rhodecode_user
             session.save()
             return WSGIController.__call__(self, environ, start_response)
         finally:
             log.debug('Request time: %.3fs' % (time.time()-start))
             meta.Session.remove()
 class BaseRepoController(BaseController):
     """
     Base class for controllers responsible for loading all needed data for
     repository loaded items are
     c.rhodecode_repo: instance of scm repository
     c.rhodecode_db_repo: instance of db
     c.repository_followers: number of followers
     c.repository_forks: number of forks

rhodecode/lib/middleware/simplegit.py

➞

Show inline comments

@@ @@ -127,65 +127,68 @@ class SimpleGit(object): @@
         action = self.__get_action(environ)
         #======================================================================
         # CHECK ANONYMOUS PERMISSION
         #======================================================================
         if action in ['pull', 'push']:
             anonymous_user = self.__get_user('default')
             username = anonymous_user.username
             anonymous_perm = self.__check_permission(action,
                                                      anonymous_user,
                                                      repo_name)
             if anonymous_perm is not True or anonymous_user.active is False:
                 if anonymous_perm is not True:
                     log.debug('Not enough credentials to access this '
                               'repository as anonymous user')
                 if anonymous_user.active is False:
                     log.debug('Anonymous access is disabled, running '
                               'authentication')
                 #==============================================================
                 # DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE
                 # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS
                 #==============================================================
                 if not get_container_username(environ, self.config):
                 # Attempting to retrieve username from the container
                 username = get_container_username(environ, self.config)
                 # If not authenticated by the container, running basic auth
                 if not username:
                     self.authenticate.realm = \
                         safe_str(self.config['rhodecode_realm'])
                     result = self.authenticate(environ)
                     if isinstance(result, str):
                         AUTH_TYPE.update(environ, 'basic')
                         REMOTE_USER.update(environ, result)
                         username = result
                     else:
                         return result.wsgi_application(environ, start_response)
                 #==============================================================
                 # CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME FROM
                 # BASIC AUTH
                 # CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME
                 #==============================================================
                 if action in ['pull', 'push']:
                     username = get_container_username(environ, self.config)
                     try:
                         user = self.__get_user(username)
                         if user is None or not user.active:
                             return HTTPForbidden()(environ, start_response)
                         username = user.username
                     except:
                         log.error(traceback.format_exc())
                         return HTTPInternalServerError()(environ,
                                                          start_response)
                     #check permissions for this repository
                     perm = self.__check_permission(action, user,
                                                    repo_name)
                     if perm is not True:
                         return HTTPForbidden()(environ, start_response)
         extras = {'ip': ipaddr,
                   'username': username,
                   'action': action,
                   'repository': repo_name}
         #===================================================================
         # GIT REQUEST HANDLING
         #===================================================================

rhodecode/lib/middleware/simplehg.py

➞

Show inline comments

@@ @@ -93,65 +93,68 @@ class SimpleHg(object): @@
         #======================================================================
         # CHECK ANONYMOUS PERMISSION
         #======================================================================
         if action in ['pull', 'push']:
             anonymous_user = self.__get_user('default')
             username = anonymous_user.username
             anonymous_perm = self.__check_permission(action,
                                                      anonymous_user,
                                                      repo_name)
             if anonymous_perm is not True or anonymous_user.active is False:
                 if anonymous_perm is not True:
                     log.debug('Not enough credentials to access this '
                               'repository as anonymous user')
                 if anonymous_user.active is False:
                     log.debug('Anonymous access is disabled, running '
                               'authentication')
                 #==============================================================
                 # DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE
                 # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS
                 #==============================================================
                 if not get_container_username(environ, self.config):
                 # Attempting to retrieve username from the container
                 username = get_container_username(environ, self.config)
                 # If not authenticated by the container, running basic auth
                 if not username:
                     self.authenticate.realm = \
                         safe_str(self.config['rhodecode_realm'])
                     result = self.authenticate(environ)
                     if isinstance(result, str):
                         AUTH_TYPE.update(environ, 'basic')
                         REMOTE_USER.update(environ, result)
                         username = result
                     else:
                         return result.wsgi_application(environ, start_response)
                 #==============================================================
                 # CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME FROM
                 # BASIC AUTH
                 # CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME
                 #==============================================================
                 if action in ['pull', 'push']:
                     username = get_container_username(environ, self.config)
                     try:
                         user = self.__get_user(username)
                         if user is None or not user.active:
                             return HTTPForbidden()(environ, start_response)
                         username = user.username
                     except:
                         log.error(traceback.format_exc())
                         return HTTPInternalServerError()(environ,
                                                          start_response)
                     #check permissions for this repository
                     perm = self.__check_permission(action, user,
                                                    repo_name)
                     if perm is not True:
                         return HTTPForbidden()(environ, start_response)
         extras = {'ip': ipaddr,
                   'username': username,
                   'action': action,
                   'repository': repo_name}
         #======================================================================
         # MERCURIAL REQUEST HANDLING
         #======================================================================

0 comments (0 inline, 0 general)