kallithea Changeset - 56c2850a5b5f

Changeset - 56c2850a5b5f

Parent rev.

Child rev.

[Not reviewed]

beta

0 5 0

Marcin Kuzminski - 15 years ago 2010-11-25 22:58:28
marcin@python-works.com

ldap auth rewrite, moved split authfunc into two functions,
made ldap case insensitive for uids
added some extra debug messages for ldap, and auth function
added some docs for utils

5 files changed with 70 insertions and 49 deletions:

rhodecode/controllers/login.py

rhodecode/lib/auth.py

rhodecode/lib/utils.py

rhodecode/model/forms.py

rhodecode/model/user.py

0 comments (0 inline, 0 general)

rhodecode/controllers/login.py

➞

Show inline comments

@@ @@ -54,13 +54,13 @@ class LoginController(BaseController): @@
         if request.POST:
             #import Login Form validator class
             login_form = LoginForm()
             try:
                 c.form_result = login_form.to_python(dict(request.POST))
                 username = c.form_result['username']
                 user = UserModel().get_by_username(username)
+                user = UserModel().get_by_username(username, case_insensitive=True)
                 auth_user = AuthUser()
                 auth_user.username = user.username
                 auth_user.is_authenticated = True
                 auth_user.is_admin = user.admin
                 auth_user.user_id = user.user_id
                 auth_user.name = user.name

rhodecode/lib/auth.py

➞

Show inline comments

@@ @@ -74,56 +74,63 @@ def get_crypt_password(password): @@
 def check_password(password, hashed):
     return bcrypt.hashpw(password, hashed) == hashed
 def authfunc(environ, username, password):
     """
     Authentication function used in Mercurial/Git/ and access control,
     Dummy authentication function used in Mercurial/Git/ and access control,
     :param environ: needed only for using in Basic auth
     """
     return authenticate(username, password)
 def authenticate(username, password):
     """
     Authentication function used for access control,
     firstly checks for db authentication then if ldap is enabled for ldap
     authentication, also creates ldap user if not in database
     :param environ: needed only for using in Basic auth, can be None
     :param username: username
     :param password: password
     """
     user_model = UserModel()
     user = user_model.get_by_username(username, cache=False)
     log.debug('Authenticating user using RhodeCode account')
     if user is not None and user.is_ldap is False:
         if user.active:
             if user.username == 'default' and user.active:
                 log.info('user %s authenticated correctly', username)
                 log.info('user %s authenticated correctly as anonymous user',
                          username)
                 return True
             elif user.username == username and check_password(password, user.password):
                 log.info('user %s authenticated correctly', username)
                 return True
         else:
             log.error('user %s is disabled', username)
             log.warning('user %s is disabled', username)
     else:
         #since ldap is searching in case insensitive check if this user is still
         #not in our system
         username = username.lower()
         log.debug('Regular authentication failed')
         user_obj = user_model.get_by_username(username, cache=False,
                                             case_insensitive=True)
         if user_obj is not None and user_obj.is_ldap is False:
             log.debug('this user already exists as non ldap')
             return False
         from rhodecode.model.settings import SettingsModel
         ldap_settings = SettingsModel().get_ldap_settings()
         #======================================================================
         # FALLBACK TO LDAP AUTH IN ENABLE
         #======================================================================
         if ldap_settings.get('ldap_active', False):
+            log.debug("Authenticating user using ldap")
             kwargs = {
                   'server':ldap_settings.get('ldap_host', ''),
                   'base_dn':ldap_settings.get('ldap_base_dn', ''),
                   'port':ldap_settings.get('ldap_port'),
                   'bind_dn':ldap_settings.get('ldap_dn_user'),
                   'bind_pass':ldap_settings.get('ldap_dn_pass'),
@@ @@ -131,24 +138,23 @@ def authfunc(environ, username, password @@
                   'ldap_version':3,
+                  }
             log.debug('Checking for ldap authentication')
             try:
                 aldap = AuthLdap(**kwargs)
                 res = aldap.authenticate_ldap(username, password)
                 log.debug('Got ldap response %s', res)
                 authenticated = res[1]['uid'][0] == username
                 if authenticated and user_model.create_ldap(username, password):
                 if user_model.create_ldap(username, password):
                     log.info('created new ldap user')
                 return authenticated
             except (LdapUsernameError, LdapPasswordError):
                 return False
             except:
                 return True
             except (LdapUsernameError, LdapPasswordError,):
                 pass
             except (Exception,):
                 log.error(traceback.format_exc())
-                return False
+                pass
     return False
 class  AuthUser(object):
     """
     A simple object that handles a mercurial username for authentication
     """

rhodecode/lib/utils.py

➞

Show inline comments

@@ @@ -125,12 +125,19 @@ def get_repos(path, recursive=False, ini @@
         try:
             yield dirpath, get_scm(os.path.join(path, dirpath))
         except VCSError:
             pass
 def check_repo_fast(repo_name, base_path):
     """
     Check given path for existance of directory
     :param repo_name:
     :param base_path:
     :return False: if this directory is present
     """
     if os.path.isdir(os.path.join(base_path, repo_name)):return False
     return True
 def check_repo(repo_name, base_path, verify=True):
     repo_path = os.path.join(base_path, repo_name)

rhodecode/model/forms.py

➞

Show inline comments

@@ @@ -16,30 +16,33 @@ ignore_key_missing False If Tru @@
 <name> = formencode.validators.<name of validator>
 <name> must equal form name
 list=[1,2,3,4,5]
 for SELECT use formencode.All(OneOf(list), Int())
 """
 import os
 import re
 import logging
 import formencode
 from formencode import All
 from formencode.validators import UnicodeString, OneOf, Int, Number, Regex, \
     Email, Bool, StringBoolean
-from pylons import session
 from pylons.i18n.translation import _
 from rhodecode.lib.auth import authfunc, get_crypt_password
 import rhodecode.lib.helpers as h
 from rhodecode.lib.auth import authenticate, get_crypt_password
 from rhodecode.lib.exceptions import LdapImportError
 from rhodecode.model import meta
 from rhodecode.model.user import UserModel
 from rhodecode.model.repo import RepoModel
 from rhodecode.model.db import User
 from rhodecode import BACKENDS
 from webhelpers.pylonslib.secure_form import authentication_token
 from rhodecode import BACKENDS
 import formencode
 import logging
 import os
 import re
 import rhodecode.lib.helpers as h
 log = logging.getLogger(__name__)
 #this is needed to translate the messages using _() in validators
 class State_obj(object):
     _ = staticmethod(_)
@@ @@ -139,13 +142,13 @@ class ValidAuth(formencode.validators.Fa @@
     def validate_python(self, value, state):
         password = value['password']
         username = value['username']
         user = UserModel().get_by_username(username)
-        if authfunc(None, username, password):
+        if authenticate(username, password):
             return value
         else:
             if user and user.active is False:
                 log.warning('user %s is disabled', username)
                 raise formencode.Invalid(self.message('disabled_account',
                                          state=State_obj),

rhodecode/model/user.py

➞

Show inline comments

 #!/usr/bin/env python
 # encoding: utf-8
 # Model for users
 # Copyright (C) 2009-2010 Marcin Kuzminski <marcin@python-works.com>
+#
 # -*- coding: utf-8 -*-
 """
     package.rhodecode.model.user
     ~~~~~~~~~~~~~~
     users model for RhodeCode
     :created_on: Apr 9, 2010
     :author: marcink
     :copyright: (C) 2009-2010 Marcin Kuzminski <marcin@python-works.com>
     :license: GPLv3, see COPYING for more details.
 """
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
 # as published by the Free Software Foundation; version 2
 # of the License or (at your opinion) any later version of the license.
+#
 # This program is distributed in the hope that it will be useful,
@@ @@ -14,30 +20,27 @@ @@
 # GNU General Public License for more details.
+#
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
 # MA  02110-1301, USA.
 """
 Created on April 9, 2010
 Model for users
 :author: marcink
 """
 from pylons.i18n.translation import _
 from rhodecode.model import BaseModel
 from rhodecode.model.caching_query import FromCache
 from rhodecode.model.db import User
 from rhodecode.lib.exceptions import *
 import logging
 import traceback
 log = logging.getLogger(__name__)
 from pylons.i18n.translation import _
 from rhodecode.model import BaseModel
 from rhodecode.model.caching_query import FromCache
 from rhodecode.model.db import User
 from rhodecode.lib.exceptions import DefaultUserException, UserOwnsReposException
 from sqlalchemy.exc import DatabaseError
 log = logging.getLogger(__name__)
 class UserModel(BaseModel):
     def get(self, user_id, cache=False):
         user = self.sa.query(User)
         if cache:
@@ @@ -76,32 +79,34 @@ class UserModel(BaseModel): @@
         Checks if user is in database, if not creates this user marked
         as ldap user
         :param username:
         :param password:
         """
         from rhodecode.lib.auth import get_crypt_password
         if self.get_by_username(username) is None:
         log.debug('Checking for such ldap account in RhodeCode database')
         if self.get_by_username(username, case_insensitive=True) is None:
             try:
                 new_user = User()
                 new_user.username = username
+                new_user.username = username.lower()#add ldap account always lowercase
                 new_user.password = get_crypt_password(password)
                 new_user.email = '%s@ldap.server' % username
                 new_user.active = True
                 new_user.is_ldap = True
                 new_user.name = '%s@ldap' % username
                 new_user.lastname = ''
                 self.sa.add(new_user)
                 self.sa.commit()
                 return True
             except:
+            except (DatabaseError,):
                 log.error(traceback.format_exc())
                 self.sa.rollback()
                 raise
         log.debug('this %s user exists skipping creation of ldap account',
                   username)
         return False
     def create_registration(self, form_data):
         from rhodecode.lib.celerylib import tasks, run_task
         try:
             new_user = User()

0 comments (0 inline, 0 general)