module = importlib.import_module(plugin)

    except (ImportError, TypeError):

        log.error(traceback.format_exc())

        # TODO: make this more error prone, if by some accident we screw up

        # the plugin name, the crash is pretty bad and hard to recover

        raise

    log.debug("Loaded auth plugin from %s (module:%s, file:%s)",

              plugin, module.__name__, module.__file__)

    pluginclass = getattr(module, PLUGIN_CLASS_NAME)

    if not issubclass(pluginclass, KallitheaAuthPluginBase):

        raise TypeError("Authentication class %s.KallitheaAuthPlugin is not "

                        "a subclass of %s" % (plugin, KallitheaAuthPluginBase))

    plugin = pluginclass()

    if plugin.plugin_settings.im_func != KallitheaAuthPluginBase.plugin_settings.im_func:

        raise TypeError("Authentication class %s.KallitheaAuthPluginBase "

                        "has overridden the plugin_settings method, which is "

                        "forbidden." % plugin)

    return plugin

def get_auth_plugins():

    """Return a list of instances of plugins that are available and enabled"""

    auth_plugins = []

    for plugin_name in Setting.get_by_name("auth_plugins").app_settings_value:

        try:

            plugin = loadplugin(plugin_name)

        except Exception:

            log.exception('Failed to load authentication module %s' % (plugin_name))

        else:

            auth_plugins.append(plugin)

    return auth_plugins

def authenticate(username, password, environ=None):

    """

    Authentication function used for access control,

    It tries to authenticate based on enabled authentication modules.

    :param username: username can be empty for container auth

    :param password: password can be empty for container auth

    :param environ: environ headers passed for container auth

    :returns: None if auth failed, user_data dict if auth is correct

    """

    auth_plugins = get_auth_plugins()

    for plugin in auth_plugins:

        module = plugin.__class__.__module__

        # load plugin settings from Kallithea database

        plugin_name = plugin.name

        plugin_settings = {}

        for v in plugin.plugin_settings():

            conf_key = "auth_%s_%s" % (plugin_name, v["name"])

            setting = Setting.get_by_name(conf_key)

            plugin_settings[v["name"]] = setting.app_settings_value if setting else None

        if not str2bool(plugin_settings["enabled"]):

            log.info("Authentication plugin %s is disabled, skipping for %s",

                     module, username)

            continue

        # use plugin's method of user extraction.

        user = plugin.get_user(username, environ=environ,

                               settings=plugin_settings)

        if not plugin.accepts(user):

            log.debug('Plugin %s does not accept user `%s` for authentication',

                      module, user)

            continue

        else:

            log.debug('Plugin %s accepted user `%s` for authentication',

                      module, user)

            # The user might have tried to authenticate using their email address,

            # then the username variable wouldn't contain a valid username.

            # But as the plugin has accepted the user, .username field should

            # have a valid username, so use it for authentication purposes.

            if user is not None:

                username = user.username

        # _authenticate is a wrapper for .auth() method of plugin.

        # it checks if .auth() sends proper data. For KallitheaExternalAuthPlugin

        # it also maps users to Database and maps the attributes returned

        # from .auth() to Kallithea database. If this function returns data

        # then auth is correct.

        user_data = plugin._authenticate(user, username, password,

                                           plugin_settings,

                                           environ=environ or {})

        if user_data is not None:

            log.debug('Plugin returned proper authentication data')

            return user_data

        # we failed to Auth because .auth() method didn't return the user

        if username:

            log.warning("User `%s` failed to authenticate against %s",

    return None

def get_managed_fields(user):

    """return list of fields that are managed by the user's auth source, usually some of

    'username', 'firstname', 'lastname', 'email', 'active', 'password'

    """

    auth_plugins = get_auth_plugins()

    for plugin in auth_plugins:

        module = plugin.__class__.__module__

        log.debug('testing %s (%s) with auth plugin %s', user, user.extern_type, module)

        if plugin.name == user.extern_type:

            return plugin.get_managed_fields()

    log.error('no auth plugin %s found for %s', user.extern_type, user)

    return [] # TODO: Fail badly instead of allowing everything to be edited?