kallithea Changeset - cb472dfe807d

Changeset - cb472dfe807d

Parent rev.

Child rev.

[Not reviewed]

default

0 6 0

Mads Kiilerich - 7 years ago 2018-12-26 01:53:28
mads@kiilerich.com

auth: drop active_from_extern from internal auth API

Modules should never auth a user if the auth source knows the user is inactive.
Also, it is too late and unreliable to disable users when they try to log in.
There is thus no need for this concept.

Only the crowd module had some traces of actual active_from_extern usage. The
'active' flag for crowd users was fully controlled from crowd. Now, Instead,
just let crowd reject authentication of users that are inactive in crowd, and
leave the internal Kallithea 'active' flag under admin control.

6 files changed with 6 insertions and 20 deletions:

kallithea/lib/auth_modules/__init__.py

kallithea/lib/auth_modules/auth_container.py

kallithea/lib/auth_modules/auth_crowd.py

kallithea/lib/auth_modules/auth_internal.py

kallithea/lib/auth_modules/auth_ldap.py

kallithea/lib/auth_modules/auth_pam.py

0 comments (0 inline, 0 general)

kallithea/lib/auth_modules/__init__.py

➞

Show inline comments

@@ @@ -52,14 +52,12 @@ class KallitheaAuthPluginBase(object): @@
         "lastname": "last name",
         "email": "email address",
         "groups": '["list", "of", "groups"]',
         "extern_name": "name in external source of record",
         "admin": 'True|False defines if user should be Kallithea admin',
         "active": 'True|False defines active state of user in Kallithea',
         "active_from_extern": "True|False|None, active state from the external auth, "
                               "None means use value from the auth plugin"
+    }
     @property
     def validators(self):
         """
         Exposes Kallithea validators modules
@@ @@ -254,33 +252,21 @@ class KallitheaExternalAuthPlugin(Kallit @@
         raise NotImplementedError("Not implemented in base class")
     def _authenticate(self, userobj, username, passwd, settings, **kwargs):
         user_data = super(KallitheaExternalAuthPlugin, self)._authenticate(
             userobj, username, passwd, settings, **kwargs)
         if user_data is not None:
             # maybe plugin will clean the username ?
             # we should use the return value
             username = user_data['username']
             # if user is not active from our extern type we should fail to auth
             # this can prevent from creating users in Kallithea when using
             # external authentication, but if it's inactive user we shouldn't
             # create that user anyway
             if user_data['active_from_extern'] is False:
                 log.warning("User %s authenticated against %s, but is inactive",
                             username, self.__module__)
                 return None
             if self.use_fake_password():
                 # Randomize the PW because we don't need it, but don't want
                 # them blank either
                 passwd = PasswordGenerator().gen_password(length=8)
             log.debug('Updating or creating user info from %s plugin',
                       self.name)
             user = UserModel().create_or_update(
                 username=username,
+                username=user_data['username'],
                 password=passwd,
                 email=user_data["email"],
                 firstname=user_data["firstname"],
                 lastname=user_data["lastname"],
                 active=user_data["active"],
                 admin=user_data["admin"],

kallithea/lib/auth_modules/auth_container.py

➞

Show inline comments

@@ @@ -205,13 +205,12 @@ class KallitheaAuthPlugin(auth_modules.K @@
             'firstname': safe_unicode(firstname or username),
             'lastname': safe_unicode(lastname or ''),
             'groups': [],
             'email': email or '',
             'admin': admin or False,
             'active': active,
             'active_from_extern': True,
             'extern_name': username,
+        }
         log.info('user `%s` authenticated correctly', user_data['username'])
         return user_data

kallithea/lib/auth_modules/auth_crowd.py

➞

Show inline comments

@@ @@ -215,12 +215,17 @@ class KallitheaAuthPlugin(auth_modules.K @@
         log.debug("Crowd settings: \n%s", formatted_json(settings))
         server = CrowdServer(**settings)
         server.set_credentials(settings["app_name"], settings["app_password"])
         crowd_user = server.user_auth(username, password)
         log.debug("Crowd returned: \n%s", formatted_json(crowd_user))
         if not crowd_user["status"]:
             log.error('Crowd authentication as %s returned no status', username)
             return None
         if not crowd_user.get('active'):
             log.error('Crowd authentication as %s returned in-active user', username)
             return None
         res = server.user_groups(crowd_user["name"])
         log.debug("Crowd groups: \n%s", formatted_json(res))
         crowd_user["groups"] = [x["name"] for x in res["groups"]]
@@ @@ -236,13 +241,12 @@ class KallitheaAuthPlugin(auth_modules.K @@
             'firstname': crowd_user["first-name"] or firstname,
             'lastname': crowd_user["last-name"] or lastname,
             'groups': crowd_user["groups"],
             'email': crowd_user["email"] or email,
             'admin': admin,
             'active': active,
             'active_from_extern': crowd_user.get('active'), # ???
             'extern_name': crowd_user["name"],
+        }
         # set an admin if we're in admin_groups of crowd
         for group in settings["admin_groups"].split(","):
             if group in user_data["groups"]:

kallithea/lib/auth_modules/auth_internal.py

➞

Show inline comments

@@ @@ -76,13 +76,12 @@ class KallitheaAuthPlugin(auth_modules.K @@
             "firstname": userobj.firstname,
             "lastname": userobj.lastname,
             "groups": [],
             "email": userobj.email,
             "admin": userobj.admin,
             "active": userobj.active,
             "active_from_extern": userobj.active,
             "extern_name": userobj.user_id,
+        }
         log.debug(formatted_json(user_data))
         if userobj.active:
             from kallithea.lib import auth

kallithea/lib/auth_modules/auth_ldap.py

➞

Show inline comments

@@ @@ -349,13 +349,12 @@ class KallitheaAuthPlugin(auth_modules.K @@
                 'firstname': safe_unicode(get_ldap_attr('attr_firstname') or firstname),
                 'lastname': safe_unicode(get_ldap_attr('attr_lastname') or lastname),
                 'groups': [],
                 'email': get_ldap_attr('attr_email') or email,
                 'admin': admin,
                 'active': active,
                 "active_from_extern": None,
                 'extern_name': user_dn,
+            }
             log.info('user %s authenticated correctly', user_data['username'])
             return user_data
         except LdapUsernameError:

kallithea/lib/auth_modules/auth_pam.py

➞

Show inline comments

@@ @@ -125,13 +125,12 @@ class KallitheaAuthPlugin(auth_modules.K @@
             'firstname': firstname,
             'lastname': lastname,
             'groups': [g.gr_name for g in grp.getgrall() if username in g.gr_mem],
             'email': email,
             'admin': admin,
             'active': active,
             "active_from_extern": None,
             'extern_name': username,
+        }
         try:
             user_pw_data = pwd.getpwnam(username)
             regex = settings["gecos"]

0 comments (0 inline, 0 general)