kallithea Changeset - 8394211b1c32

Changeset - 8394211b1c32

Parent rev.

Child rev.

[Not reviewed]

default

0 2 0

Søren Løvborg - 10 years ago 2015-07-14 14:00:15
kwi@kwi.dk

AuthUser: refactor AuthUser cookie/session serialization

* All serialization/deserialization logic is now in one place.

* CookieStoreWrapper is gone; any login sessions established in 2012 or
earlier will be terminated and users will have to log in again.

* The term "cookie store" has been dropped in favor of simply "cookie"
(the value is not a cookie "store" or data repository, but just the
actual cookie/session serialization of AuthUser).

Note: from_cookie_store was never used.

2 files changed with 26 insertions and 44 deletions:

kallithea/lib/auth.py

kallithea/lib/base.py

0 comments (0 inline, 0 general)

kallithea/lib/auth.py

➞

Show inline comments

@@ @@ -135,39 +135,24 @@ class KallitheaCrypto(object): @@
             raise Exception('Unknown or unsupported platform %s' \
                             % __platform__)
 def get_crypt_password(password):
     return KallitheaCrypto.hash_string(password)
 def check_password(password, hashed):
     return KallitheaCrypto.hash_check(password, hashed)
 class CookieStoreWrapper(object):
     def __init__(self, cookie_store):
         self.cookie_store = cookie_store
     def __repr__(self):
         return 'CookieStore<%s>' % (self.cookie_store)
     def get(self, key, other=None):
         if isinstance(self.cookie_store, dict):
             return self.cookie_store.get(key, other)
         elif isinstance(self.cookie_store, AuthUser):
             return self.cookie_store.__dict__.get(key, other)
 def _cached_perms_data(user_id, user_is_admin, user_inherit_default_permissions,
                        explicit, algo):
     RK = 'repositories'
     GK = 'repositories_groups'
     UK = 'user_groups'
     GLOBAL = 'global'
     PERM_WEIGHTS = Permission.PERM_WEIGHTS
     permissions = {RK: {}, GK: {}, UK: {}, GLOBAL: set()}
     def _choose_perm(new_perm, cur_perm):
         new_perm_val = PERM_WEIGHTS[new_perm]
@@ @@ -633,41 +618,46 @@ class AuthUser(object): @@
             log.info('Access for IP:%s forbidden, '
                      'not in %s' % (ip_addr, allowed_ips))
             return False
     def __repr__(self):
         return "<AuthUser('id:%s[%s] auth:%s')>"\
             % (self.user_id, self.username, self.is_authenticated)
     def set_authenticated(self, authenticated=True):
         if self.user_id != self.anonymous_user.user_id:
             self.is_authenticated = authenticated
     def get_cookie_store(self):
         return {'username': self.username,
     def to_cookie(self):
         """ Serializes this login session to a cookie `dict`. """
         return {
                 'user_id': self.user_id,
                 'is_authenticated': self.is_authenticated}
             'username': self.username,
             'is_authenticated': self.is_authenticated,
+        }
     @classmethod
     def from_cookie_store(cls, cookie_store):
     @staticmethod
     def from_cookie(cookie):
         """
         Creates AuthUser from a cookie store
         :param cls:
         :param cookie_store:
         Deserializes an `AuthUser` from a cookie `dict`.
         """
         user_id = cookie_store.get('user_id')
         username = cookie_store.get('username')
         api_key = cookie_store.get('api_key')
         return AuthUser(user_id, api_key, username)
         au = AuthUser(
             user_id=cookie.get('user_id'),
             username=cookie.get('username'),
+        )
         if not au.is_authenticated and au.user_id is not None:
             # user is not authenticated and not empty
             au.set_authenticated(cookie.get('is_authenticated'))
         return au
     @classmethod
     def get_allowed_ips(cls, user_id, cache=False, inherit_from_default=False):
         _set = set()
         if inherit_from_default:
             default_ips = UserIpMap.query().filter(UserIpMap.user ==
                                             User.get_default_user(cache=True))
             if cache:
                 default_ips = default_ips.options(FromCache("sql_cache_short",
                                                   "get_user_ips_default"))

kallithea/lib/base.py

➞

Show inline comments

@@ @@ -40,25 +40,25 @@ import paste.httpheaders @@
 from pylons import config, tmpl_context as c, request, session, url
 from pylons.controllers import WSGIController
 from pylons.controllers.util import redirect
 from pylons.templating import render_mako as render  # don't remove this import
 from pylons.i18n.translation import _
 from kallithea import __version__, BACKENDS
 from kallithea.lib.utils2 import str2bool, safe_unicode, AttributeDict,\
     safe_str, safe_int
 from kallithea.lib import auth_modules
-from kallithea.lib.auth import AuthUser, HasPermissionAnyMiddleware, CookieStoreWrapper
 from kallithea.lib.auth import AuthUser, HasPermissionAnyMiddleware
 from kallithea.lib.utils import get_repo_slug
 from kallithea.lib.exceptions import UserCreationError
 from kallithea.lib.vcs.exceptions import RepositoryError, EmptyRepositoryError, ChangesetDoesNotExistError
 from kallithea.model import meta
 from kallithea.model.db import Repository, Ui, User, Setting
 from kallithea.model.notification import NotificationModel
 from kallithea.model.scm import ScmModel
 from kallithea.model.pull_request import PullRequestModel
 log = logging.getLogger(__name__)
@@ @@ -111,36 +111,35 @@ def log_in_user(user, remember): @@
     the end of the browser session.
     Returns populated `AuthUser` object.
     """
     user.update_lastlogin()
     meta.Session().commit()
     auth_user = AuthUser(user_id=user.user_id)
     auth_user.set_authenticated()
     # Start new session to prevent session fixation attacks.
     session.invalidate()
     cs = auth_user.get_cookie_store()
     session['authuser'] = cs
     session['authuser'] = cookie = auth_user.to_cookie()
     # If they want to be remembered, update the cookie
     if remember:
         t = datetime.datetime.now() + datetime.timedelta(days=365)
         session._set_cookie_expires(t)
     session.save()
     log.info('user %s is now authenticated and stored in '
-             'session, session attrs %s', user.username, cs)
+             'session, session attrs %s', user.username, cookie)
     # dumps session attrs back to cookie
     session._update_cookie_out()
     return auth_user
 class BasicAuth(paste.auth.basic.AuthBasicAuthenticator):
     def __init__(self, realm, authfunc, auth_http_code=None):
         self.realm = realm
         self.authfunc = authfunc
@@ @@ -379,44 +378,37 @@ class BaseController(WSGIController): @@
     def _determine_auth_user(api_key, session_authuser):
         """
         Create an `AuthUser` object given the IP address of the request, the
         API key (if any), and the authuser from the session.
         """
         # Authenticate by API key
         if api_key:
             # when using API_KEY we are sure user exists.
             return AuthUser(api_key=api_key)
         # Authenticate by session cookie
         cookie_store = CookieStoreWrapper(session_authuser)
         user_id = cookie_store.get('user_id')
         if user_id is not None:
         cookie = session.get('authuser')
         # In ancient login sessions, 'authuser' may not be a dict.
         # In that case, the user will have to log in again.
         if isinstance(cookie, dict):
             try:
-                auth_user = AuthUser(user_id=user_id)
+                return AuthUser.from_cookie(cookie)
             except UserCreationError as e:
                 # container auth or other auth functions that create users on
                 # the fly can throw UserCreationError to signal issues with
                 # user creation. Explanation should be provided in the
                 # exception object.
                 from kallithea.lib import helpers as h
                 h.flash(e, 'error', logf=log.error)
             else:
                 authenticated = cookie_store.get('is_authenticated')
                 if not auth_user.is_authenticated and auth_user.user_id is not None:
                     # user is not authenticated and not empty
                     auth_user.set_authenticated(authenticated)
                 return auth_user
         # Authenticate by auth_container plugin (if enabled)
         if any(
             auth_modules.importplugin(name).is_container_auth
             for name in Setting.get_auth_plugins()
         ):
             try:
                 auth_info = auth_modules.authenticate('', '', request.environ)
             except UserCreationError as e:
                 from kallithea.lib import helpers as h
                 h.flash(e, 'error', logf=log.error)
             else:

0 comments (0 inline, 0 general)