kallithea Changeset - cb472dfe807d

Changeset - cb472dfe807d

Parent rev.

Child rev.

[Not reviewed]

default

0 6 0

Mads Kiilerich - 7 years ago 2018-12-26 01:53:28
mads@kiilerich.com

auth: drop active_from_extern from internal auth API

Modules should never auth a user if the auth source knows the user is inactive.
Also, it is too late and unreliable to disable users when they try to log in.
There is thus no need for this concept.

Only the crowd module had some traces of actual active_from_extern usage. The
'active' flag for crowd users was fully controlled from crowd. Now, Instead,
just let crowd reject authentication of users that are inactive in crowd, and
leave the internal Kallithea 'active' flag under admin control.

6 files changed with 6 insertions and 20 deletions:

kallithea/lib/auth_modules/__init__.py

kallithea/lib/auth_modules/auth_container.py

kallithea/lib/auth_modules/auth_crowd.py

kallithea/lib/auth_modules/auth_internal.py

kallithea/lib/auth_modules/auth_ldap.py

kallithea/lib/auth_modules/auth_pam.py

0 comments (0 inline, 0 general)

kallithea/lib/auth_modules/__init__.py

➞

Show inline comments

@@ @@ -34,50 +34,48 @@ class LazyFormencode(object): @@
     def __init__(self, formencode_obj, *args, **kwargs):
         self.formencode_obj = formencode_obj
         self.args = args
         self.kwargs = kwargs
     def __call__(self, *args, **kwargs):
         from inspect import isfunction
         formencode_obj = self.formencode_obj
         if isfunction(formencode_obj):
             # case we wrap validators into functions
             formencode_obj = self.formencode_obj(*args, **kwargs)
         return formencode_obj(*self.args, **self.kwargs)
 class KallitheaAuthPluginBase(object):
     auth_func_attrs = {
         "username": "unique username",
         "firstname": "first name",
         "lastname": "last name",
         "email": "email address",
         "groups": '["list", "of", "groups"]',
         "extern_name": "name in external source of record",
         "admin": 'True|False defines if user should be Kallithea admin',
         "active": 'True|False defines active state of user in Kallithea',
         "active_from_extern": "True|False|None, active state from the external auth, "
                               "None means use value from the auth plugin"
+    }
     @property
     def validators(self):
         """
         Exposes Kallithea validators modules
         """
         # this is a hack to overcome issues with pylons threadlocals and
         # translator object _() not being registered properly.
         class LazyCaller(object):
             def __init__(self, name):
                 self.validator_name = name
             def __call__(self, *args, **kwargs):
                 from kallithea.model import validators as v
                 obj = getattr(v, self.validator_name)
                 #log.debug('Initializing lazy formencode object: %s', obj)
                 return LazyFormencode(obj, *args, **kwargs)
         class ProxyGet(object):
             def __getattribute__(self, name):
                 return LazyCaller(name)
         return ProxyGet()
@@ @@ -236,69 +234,57 @@ class KallitheaAuthPluginBase(object): @@
     def _validate_auth_return(self, user_data):
         if not isinstance(user_data, dict):
             raise Exception('returned value from auth must be a dict')
         for k in self.auth_func_attrs:
             if k not in user_data:
                 raise Exception('Missing %s attribute from returned data' % k)
         return user_data
 class KallitheaExternalAuthPlugin(KallitheaAuthPluginBase):
     def use_fake_password(self):
         """
         Return a boolean that indicates whether or not we should set the user's
         password to a random value when it is authenticated by this plugin.
         If your plugin provides authentication, then you will generally want this.
         :returns: boolean
         """
         raise NotImplementedError("Not implemented in base class")
     def _authenticate(self, userobj, username, passwd, settings, **kwargs):
         user_data = super(KallitheaExternalAuthPlugin, self)._authenticate(
             userobj, username, passwd, settings, **kwargs)
         if user_data is not None:
             # maybe plugin will clean the username ?
             # we should use the return value
             username = user_data['username']
             # if user is not active from our extern type we should fail to auth
             # this can prevent from creating users in Kallithea when using
             # external authentication, but if it's inactive user we shouldn't
             # create that user anyway
             if user_data['active_from_extern'] is False:
                 log.warning("User %s authenticated against %s, but is inactive",
                             username, self.__module__)
                 return None
             if self.use_fake_password():
                 # Randomize the PW because we don't need it, but don't want
                 # them blank either
                 passwd = PasswordGenerator().gen_password(length=8)
             log.debug('Updating or creating user info from %s plugin',
                       self.name)
             user = UserModel().create_or_update(
                 username=username,
+                username=user_data['username'],
                 password=passwd,
                 email=user_data["email"],
                 firstname=user_data["firstname"],
                 lastname=user_data["lastname"],
                 active=user_data["active"],
                 admin=user_data["admin"],
                 extern_name=user_data["extern_name"],
                 extern_type=self.name
+            )
             # enforce user is just in given groups, all of them has to be ones
             # created from plugins. We store this info in _group_data JSON field
             groups = user_data['groups'] or []
             UserGroupModel().enforce_groups(user, groups, self.name)
             Session().commit()
         return user_data
 def loadplugin(plugin):
     """
     Imports, instantiates, and returns the authentication plugin in the module named by plugin
     (e.g., plugin='kallithea.lib.auth_modules.auth_internal'). Returns an instance of the
     KallitheaAuthPluginBase subclass on success, raises exceptions on failure.
     raises:

kallithea/lib/auth_modules/auth_container.py

➞

Show inline comments

@@ @@ -187,40 +187,39 @@ class KallitheaAuthPlugin(auth_modules.K @@
         if not username:
             # we don't have any objects in DB, user doesn't exist, extract
             # username from environ based on the settings
             username = self._get_username(environ, settings)
         # if cannot fetch username, it's a no-go for this plugin to proceed
         if not username:
             return None
         # old attrs fetched from Kallithea database
         admin = getattr(userobj, 'admin', False)
         active = getattr(userobj, 'active', True)
         email = environ.get(settings.get('email_header'), getattr(userobj, 'email', ''))
         firstname = environ.get(settings.get('firstname_header'), getattr(userobj, 'firstname', ''))
         lastname = environ.get(settings.get('lastname_header'), getattr(userobj, 'lastname', ''))
         user_data = {
             'username': username,
             'firstname': safe_unicode(firstname or username),
             'lastname': safe_unicode(lastname or ''),
             'groups': [],
             'email': email or '',
             'admin': admin or False,
             'active': active,
             'active_from_extern': True,
             'extern_name': username,
+        }
         log.info('user `%s` authenticated correctly', user_data['username'])
         return user_data
     def get_managed_fields(self):
         fields = ['username', 'password']
         if(Setting.get_by_name('auth_container_email_header').app_settings_value):
             fields.append('email')
         if(Setting.get_by_name('auth_container_firstname_header').app_settings_value):
             fields.append('firstname')
         if(Setting.get_by_name('auth_container_lastname_header').app_settings_value):
             fields.append('lastname')
         return fields

kallithea/lib/auth_modules/auth_crowd.py

➞

Show inline comments

@@ @@ -197,59 +197,63 @@ class KallitheaAuthPlugin(auth_modules.K @@
         def_user_perms = User.get_default_user().AuthUser.permissions['global']
         return 'hg.extern_activate.auto' in def_user_perms
     def auth(self, userobj, username, password, settings, **kwargs):
         """
         Given a user object (which may be null), username, a plaintext password,
         and a settings object (containing all the keys needed as listed in settings()),
         authenticate this user's login attempt.
         Return None on failure. On success, return a dictionary of the form:
             see: KallitheaAuthPluginBase.auth_func_attrs
         This is later validated for correctness
         """
         if not username or not password:
             log.debug('Empty username or password skipping...')
             return None
         log.debug("Crowd settings: \n%s", formatted_json(settings))
         server = CrowdServer(**settings)
         server.set_credentials(settings["app_name"], settings["app_password"])
         crowd_user = server.user_auth(username, password)
         log.debug("Crowd returned: \n%s", formatted_json(crowd_user))
         if not crowd_user["status"]:
             log.error('Crowd authentication as %s returned no status', username)
             return None
         if not crowd_user.get('active'):
             log.error('Crowd authentication as %s returned in-active user', username)
             return None
         res = server.user_groups(crowd_user["name"])
         log.debug("Crowd groups: \n%s", formatted_json(res))
         crowd_user["groups"] = [x["name"] for x in res["groups"]]
         # old attrs fetched from Kallithea database
         admin = getattr(userobj, 'admin', False)
         active = getattr(userobj, 'active', True)
         email = getattr(userobj, 'email', '')
         firstname = getattr(userobj, 'firstname', '')
         lastname = getattr(userobj, 'lastname', '')
         user_data = {
             'username': crowd_user["name"] or username,
             'firstname': crowd_user["first-name"] or firstname,
             'lastname': crowd_user["last-name"] or lastname,
             'groups': crowd_user["groups"],
             'email': crowd_user["email"] or email,
             'admin': admin,
             'active': active,
             'active_from_extern': crowd_user.get('active'), # ???
             'extern_name': crowd_user["name"],
+        }
         # set an admin if we're in admin_groups of crowd
         for group in settings["admin_groups"].split(","):
             if group in user_data["groups"]:
                 user_data["admin"] = True
         log.debug("Final crowd user object: \n%s", formatted_json(user_data))
         log.info('user %s authenticated correctly', user_data['username'])
         return user_data
     def get_managed_fields(self):
         return ['username', 'firstname', 'lastname', 'email', 'password']

kallithea/lib/auth_modules/auth_internal.py

➞

Show inline comments

@@ @@ -58,49 +58,48 @@ class KallitheaAuthPlugin(auth_modules.K @@
         """
         return super(KallitheaAuthPlugin, self).accepts(user,
                                                         accepts_empty=False)
     def auth(self, userobj, username, password, settings, **kwargs):
         if not userobj:
             log.debug('userobj was:%s skipping', userobj)
             return None
         if userobj.extern_type != self.name:
             log.warning("userobj:%s extern_type mismatch got:`%s` expected:`%s`",
                      userobj, userobj.extern_type, self.name)
             return None
         if not username:
             log.debug('Empty username - skipping...')
             return None
         user_data = {
             "username": userobj.username,
             "firstname": userobj.firstname,
             "lastname": userobj.lastname,
             "groups": [],
             "email": userobj.email,
             "admin": userobj.admin,
             "active": userobj.active,
             "active_from_extern": userobj.active,
             "extern_name": userobj.user_id,
+        }
         log.debug(formatted_json(user_data))
         if userobj.active:
             from kallithea.lib import auth
             password_match = auth.check_password(password, userobj.password)
             if userobj.is_default_user and userobj.active:
                 log.info('user %s authenticated correctly as anonymous user',
                          username)
                 return user_data
             elif userobj.username == username and password_match:
                 log.info('user %s authenticated correctly', user_data['username'])
                 return user_data
             log.error("user %s had a bad password", username)
             return None
         else:
             log.warning('user %s tried auth but is disabled', username)
             return None
     def get_managed_fields(self):
         # Note: 'username' should only be editable (at least for user) if self registration is enabled
         return []

kallithea/lib/auth_modules/auth_ldap.py

➞

Show inline comments

@@ @@ -331,40 +331,39 @@ class KallitheaAuthPlugin(auth_modules.K @@
         log.debug('Checking for ldap authentication')
         try:
             aldap = AuthLdap(**kwargs)
             (user_dn, ldap_attrs) = aldap.authenticate_ldap(username, password)
             log.debug('Got ldap DN response %s', user_dn)
             get_ldap_attr = lambda k: ldap_attrs.get(settings.get(k), [''])[0]
             # old attrs fetched from Kallithea database
             admin = getattr(userobj, 'admin', False)
             active = getattr(userobj, 'active', self.user_activation_state())
             email = getattr(userobj, 'email', '')
             firstname = getattr(userobj, 'firstname', '')
             lastname = getattr(userobj, 'lastname', '')
             user_data = {
                 'username': username,
                 'firstname': safe_unicode(get_ldap_attr('attr_firstname') or firstname),
                 'lastname': safe_unicode(get_ldap_attr('attr_lastname') or lastname),
                 'groups': [],
                 'email': get_ldap_attr('attr_email') or email,
                 'admin': admin,
                 'active': active,
                 "active_from_extern": None,
                 'extern_name': user_dn,
+            }
             log.info('user %s authenticated correctly', user_data['username'])
             return user_data
         except LdapUsernameError:
             log.info('Error authenticating %s with LDAP: User not found', username)
         except LdapPasswordError:
             log.info('Error authenticating %s with LDAP: Password error', username)
         except LdapImportError:
             log.error('Error authenticating %s with LDAP: LDAP not available', username)
         return None
     def get_managed_fields(self):
         return ['username', 'firstname', 'lastname', 'email', 'password']

kallithea/lib/auth_modules/auth_pam.py

➞

Show inline comments

@@ @@ -107,45 +107,44 @@ class KallitheaAuthPlugin(auth_modules.K @@
             finally:
                 _pam_lock.release()
             if not auth_result:
                 log.error("PAM was unable to authenticate user: %s", username)
                 return None
         else:
             log.debug("Using cached auth for user: %s", username)
         # old attrs fetched from Kallithea database
         admin = getattr(userobj, 'admin', False)
         active = getattr(userobj, 'active', True)
         email = getattr(userobj, 'email', '') or "%s@%s" % (username, socket.gethostname())
         firstname = getattr(userobj, 'firstname', '')
         lastname = getattr(userobj, 'lastname', '')
         user_data = {
             'username': username,
             'firstname': firstname,
             'lastname': lastname,
             'groups': [g.gr_name for g in grp.getgrall() if username in g.gr_mem],
             'email': email,
             'admin': admin,
             'active': active,
             "active_from_extern": None,
             'extern_name': username,
+        }
         try:
             user_pw_data = pwd.getpwnam(username)
             regex = settings["gecos"]
             match = re.search(regex, user_pw_data.pw_gecos)
             if match:
                 user_data["firstname"] = match.group('first_name')
                 user_data["lastname"] = match.group('last_name')
         except Exception:
             log.warning("Cannot extract additional info for PAM user %s", username)
             pass
         log.debug("pamuser: \n%s", formatted_json(user_data))
         log.info('user %s authenticated correctly', user_data['username'])
         return user_data
     def get_managed_fields(self):
         return ['username', 'password']

0 comments (0 inline, 0 general)