diff --git a/rhodecode/lib/auth.py b/rhodecode/lib/auth.py --- a/rhodecode/lib/auth.py +++ b/rhodecode/lib/auth.py @@ -223,6 +223,43 @@ def authenticate(username, password): pass return False +def login_container_auth(username): + user = User.get_by_username(username) + if user is None: + user_model = UserModel() + user_attrs = { + 'name': username, + 'lastname': None, + 'email': None, + } + if not user_model.create_for_container_auth(username, user_attrs): + return None + user = User.get_by_username(username) + log.info('User %s was created by container authentication', username) + + if not user.active: + return None + + user.update_lastlogin() + log.debug('User %s is now logged in by container authentication', user.username) + return user + +def get_container_username(environ, cfg=config): + from paste.httpheaders import REMOTE_USER + from paste.deploy.converters import asbool + + username = REMOTE_USER(environ) + + if not username and asbool(cfg.get('proxypass_auth_enabled', False)): + username = environ.get('HTTP_X_FORWARDED_USER') + + if username: + #Removing realm and domain from username + username = username.partition('@')[0] + username = username.rpartition('\\')[2] + log.debug('Received username %s from container', username) + + return username class AuthUser(object): """ @@ -234,12 +271,12 @@ class AuthUser(object): in """ - def __init__(self, user_id=None, api_key=None): + def __init__(self, user_id=None, api_key=None, username=None): self.user_id = user_id self.api_key = None - - self.username = 'None' + self.username = username + self.name = '' self.lastname = '' self.email = '' @@ -252,23 +289,37 @@ class AuthUser(object): def propagate_data(self): user_model = UserModel() self.anonymous_user = User.get_by_username('default') + is_user_loaded = False if self._api_key and self._api_key != self.anonymous_user.api_key: #try go get user by api key log.debug('Auth User lookup by API KEY %s', self._api_key) - user_model.fill_data(self, api_key=self._api_key) - else: + is_user_loaded = user_model.fill_data(self, api_key=self._api_key) + elif self.user_id is not None \ + and self.user_id != self.anonymous_user.user_id: log.debug('Auth User lookup by USER ID %s', self.user_id) - if self.user_id is not None \ - and self.user_id != self.anonymous_user.user_id: - user_model.fill_data(self, user_id=self.user_id) + is_user_loaded = user_model.fill_data(self, user_id=self.user_id) + elif self.username: + log.debug('Auth User lookup by USER NAME %s', self.username) + dbuser = login_container_auth(self.username) + if dbuser is not None: + for k, v in dbuser.get_dict().items(): + setattr(self, k, v) + self.set_authenticated() + is_user_loaded = True + + if not is_user_loaded: + if self.anonymous_user.active is True: + user_model.fill_data(self, + user_id=self.anonymous_user.user_id) + #then we set this user is logged in + self.is_authenticated = True else: - if self.anonymous_user.active is True: - user_model.fill_data(self, - user_id=self.anonymous_user.user_id) - #then we set this user is logged in - self.is_authenticated = True - else: - self.is_authenticated = False + self.user_id = None + self.username = None + self.is_authenticated = False + + if not self.username: + self.username = 'None' log.debug('Auth User is now %s', self) user_model.fill_perms(self)