auth_jasig_cas.py
173 lines
| 6.0 KiB
| text/x-python
|
PythonLexer
r5088 | # Copyright (C) 2012-2023 RhodeCode GmbH | |||
r1 | # | |||
# This program is free software: you can redistribute it and/or modify | ||||
# it under the terms of the GNU Affero General Public License, version 3 | ||||
# (only), as published by the Free Software Foundation. | ||||
# | ||||
# This program is distributed in the hope that it will be useful, | ||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | ||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||||
# GNU General Public License for more details. | ||||
# | ||||
# You should have received a copy of the GNU Affero General Public License | ||||
# along with this program. If not, see <http://www.gnu.org/licenses/>. | ||||
# | ||||
# This program is dual-licensed. If you wish to learn more about the | ||||
# RhodeCode Enterprise Edition, including its added features, Support services, | ||||
# and proprietary license terms, please see https://rhodecode.com/licenses/ | ||||
""" | ||||
RhodeCode authentication plugin for Jasig CAS | ||||
http://www.jasig.org/cas | ||||
""" | ||||
import colander | ||||
import logging | ||||
import rhodecode | ||||
r5057 | import urllib.request | |||
import urllib.parse | ||||
import urllib.error | ||||
r1 | ||||
r1454 | from rhodecode.translation import _ | |||
from rhodecode.authentication.base import ( | ||||
RhodeCodeExternalAuthPlugin, hybrid_property) | ||||
r1 | from rhodecode.authentication.schema import AuthnPluginSettingsSchemaBase | |||
from rhodecode.authentication.routes import AuthnPluginResourceBase | ||||
r55 | from rhodecode.lib.colander_utils import strip_whitespace | |||
r1 | from rhodecode.model.db import User | |||
r5057 | from rhodecode.lib.str_utils import safe_str | |||
r1 | ||||
log = logging.getLogger(__name__) | ||||
r3253 | def plugin_factory(plugin_id, *args, **kwargs): | |||
r1 | """ | |||
Factory function that is called during plugin discovery. | ||||
It returns the plugin instance. | ||||
""" | ||||
plugin = RhodeCodeAuthPlugin(plugin_id) | ||||
return plugin | ||||
class JasigCasAuthnResource(AuthnPluginResourceBase): | ||||
pass | ||||
class JasigCasSettingsSchema(AuthnPluginSettingsSchemaBase): | ||||
service_url = colander.SchemaNode( | ||||
colander.String(), | ||||
default='https://domain.com/cas/v1/tickets', | ||||
description=_('The url of the Jasig CAS REST service'), | ||||
r55 | preparer=strip_whitespace, | |||
r1 | title=_('URL'), | |||
widget='string') | ||||
class RhodeCodeAuthPlugin(RhodeCodeExternalAuthPlugin): | ||||
r3246 | uid = 'jasig_cas' | |||
r1 | ||||
def includeme(self, config): | ||||
config.add_authn_plugin(self) | ||||
config.add_authn_resource(self.get_id(), JasigCasAuthnResource(self)) | ||||
config.add_view( | ||||
'rhodecode.authentication.views.AuthnPluginViewBase', | ||||
attr='settings_get', | ||||
r1282 | renderer='rhodecode:templates/admin/auth/plugin_settings.mako', | |||
r1 | request_method='GET', | |||
route_name='auth_home', | ||||
context=JasigCasAuthnResource) | ||||
config.add_view( | ||||
'rhodecode.authentication.views.AuthnPluginViewBase', | ||||
attr='settings_post', | ||||
r1282 | renderer='rhodecode:templates/admin/auth/plugin_settings.mako', | |||
r1 | request_method='POST', | |||
route_name='auth_home', | ||||
context=JasigCasAuthnResource) | ||||
def get_settings_schema(self): | ||||
return JasigCasSettingsSchema() | ||||
r4545 | def get_display_name(self, load_from_settings=False): | |||
r1 | return _('Jasig-CAS') | |||
@hybrid_property | ||||
def name(self): | ||||
r5094 | return "jasig-cas" | |||
r1 | ||||
r108 | @property | |||
def is_headers_auth(self): | ||||
r1 | return True | |||
def use_fake_password(self): | ||||
return True | ||||
def user_activation_state(self): | ||||
r1997 | def_user_perms = User.get_default_user().AuthUser().permissions['global'] | |||
r1 | return 'hg.extern_activate.auto' in def_user_perms | |||
def auth(self, userobj, username, password, settings, **kwargs): | ||||
""" | ||||
Given a user object (which may be null), username, a plaintext password, | ||||
and a settings object (containing all the keys needed as listed in settings()), | ||||
authenticate this user's login attempt. | ||||
Return None on failure. On success, return a dictionary of the form: | ||||
see: RhodeCodeAuthPluginBase.auth_func_attrs | ||||
This is later validated for correctness | ||||
""" | ||||
if not username or not password: | ||||
log.debug('Empty username or password skipping...') | ||||
return None | ||||
r12 | log.debug("Jasig CAS settings: %s", settings) | |||
r4914 | params = urllib.parse.urlencode({'username': username, 'password': password}) | |||
r1 | headers = {"Content-type": "application/x-www-form-urlencoded", | |||
"Accept": "text/plain", | ||||
"User-Agent": "RhodeCode-auth-%s" % rhodecode.__version__} | ||||
url = settings["service_url"] | ||||
r12 | log.debug("Sent Jasig CAS: \n%s", | |||
{"url": url, "body": params, "headers": headers}) | ||||
r4914 | request = urllib.request.Request(url, params, headers) | |||
r1 | try: | |||
r5057 | urllib.request.urlopen(request) | |||
r4914 | except urllib.error.HTTPError as e: | |||
r3061 | log.debug("HTTPError when requesting Jasig CAS (status code: %d)", e.code) | |||
r1 | return None | |||
r4914 | except urllib.error.URLError as e: | |||
r5057 | log.debug("URLError when requesting Jasig CAS url: %s %s", url, e) | |||
r1 | return None | |||
# old attrs fetched from RhodeCode database | ||||
admin = getattr(userobj, 'admin', False) | ||||
active = getattr(userobj, 'active', True) | ||||
email = getattr(userobj, 'email', '') | ||||
username = getattr(userobj, 'username', username) | ||||
firstname = getattr(userobj, 'firstname', '') | ||||
lastname = getattr(userobj, 'lastname', '') | ||||
extern_type = getattr(userobj, 'extern_type', '') | ||||
user_attrs = { | ||||
'username': username, | ||||
r5057 | 'firstname': safe_str(firstname or username), | |||
'lastname': safe_str(lastname or ''), | ||||
r1 | 'groups': [], | |||
r2495 | 'user_group_sync': False, | |||
r1 | 'email': email or '', | |||
'admin': admin or False, | ||||
'active': active, | ||||
'active_from_extern': True, | ||||
'extern_name': username, | ||||
'extern_type': extern_type, | ||||
} | ||||
r3061 | log.info('user `%s` authenticated correctly', user_attrs['username']) | |||
r1 | return user_attrs | |||
r3240 | ||||
def includeme(config): | ||||
r5094 | plugin_id = f'egg:rhodecode-enterprise-ce#{RhodeCodeAuthPlugin.uid}' | |||
r3240 | plugin_factory(plugin_id).includeme(config) | |||