rhodecode-enterprise-ce Commit - r498:0a1ad2be

1

# -*- coding: utf-8 -*-

1

# -*- coding: utf-8 -*-

2

3

4

#

4

#

5

# This program is free software: you can redistribute it and/or modify

5

# This program is free software: you can redistribute it and/or modify

6

# it under the terms of the GNU Affero General Public License, version 3

6

# it under the terms of the GNU Affero General Public License, version 3

7

# (only), as published by the Free Software Foundation.

7

# (only), as published by the Free Software Foundation.

8

#

8

#

9

# This program is distributed in the hope that it will be useful,

9

# This program is distributed in the hope that it will be useful,

10

# but WITHOUT ANY WARRANTY; without even the implied warranty of

10

# but WITHOUT ANY WARRANTY; without even the implied warranty of

11

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

11

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

12

# GNU General Public License for more details.

12

# GNU General Public License for more details.

13

#

13

#

14

# You should have received a copy of the GNU Affero General Public License

14

# You should have received a copy of the GNU Affero General Public License

15

# along with this program. If not, see <http://www.gnu.org/licenses/>.

15

# along with this program. If not, see <http://www.gnu.org/licenses/>.

16

#

16

#

17

# This program is dual-licensed. If you wish to learn more about the

17

# This program is dual-licensed. If you wish to learn more about the

18

# RhodeCode Enterprise Edition, including its added features, Support services,

18

# RhodeCode Enterprise Edition, including its added features, Support services,

19

# and proprietary license terms, please see https://rhodecode.com/licenses/

19

# and proprietary license terms, please see https://rhodecode.com/licenses/

20

21

"""

21

"""

22

Authentication modules

22

Authentication modules

23

"""

23

"""

24

25

import colander

25

import colander

26

import logging

26

import logging

27

import time

27

import time

28

import traceback

28

import traceback

29

import warnings

29

import warnings

30

31

from pyramid.threadlocal import get_current_registry

31

from pyramid.threadlocal import get_current_registry

32

from sqlalchemy.ext.hybrid import hybrid_property

32

from sqlalchemy.ext.hybrid import hybrid_property

33

34

from rhodecode.authentication.interface import IAuthnPluginRegistry

34

from rhodecode.authentication.interface import IAuthnPluginRegistry

35

from rhodecode.authentication.schema import AuthnPluginSettingsSchemaBase

35

from rhodecode.authentication.schema import AuthnPluginSettingsSchemaBase

36

from rhodecode.lib import caches

36

from rhodecode.lib import caches

37

from rhodecode.lib.auth import PasswordGenerator, _RhodeCodeCryptoBCrypt

37

from rhodecode.lib.auth import PasswordGenerator, _RhodeCodeCryptoBCrypt

38

from rhodecode.lib.utils2 import md5_safe, safe_int

38

from rhodecode.lib.utils2 import md5_safe, safe_int

39

from rhodecode.lib.utils2 import safe_str

39

from rhodecode.lib.utils2 import safe_str

40

from rhodecode.model.db import User

40

from rhodecode.model.db import User

41

from rhodecode.model.meta import Session

41

from rhodecode.model.meta import Session

42

from rhodecode.model.settings import SettingsModel

42

from rhodecode.model.settings import SettingsModel

43

from rhodecode.model.user import UserModel

43

from rhodecode.model.user import UserModel

44

from rhodecode.model.user_group import UserGroupModel

44

from rhodecode.model.user_group import UserGroupModel

45

46

47

log = logging.getLogger(__name__)

47

log = logging.getLogger(__name__)

48

49

# auth types that authenticate() function can receive

49

# auth types that authenticate() function can receive

50

VCS_TYPE = 'vcs'

50

VCS_TYPE = 'vcs'

51

HTTP_TYPE = 'http'

51

HTTP_TYPE = 'http'

52

53

54

class LazyFormencode(object):

54

class LazyFormencode(object):

55

def __init__(self, formencode_obj, *args, **kwargs):

55

def __init__(self, formencode_obj, *args, **kwargs):

56

self.formencode_obj = formencode_obj

56

self.formencode_obj = formencode_obj

57

self.args = args

57

self.args = args

58

self.kwargs = kwargs

58

self.kwargs = kwargs

59

60

def __call__(self, *args, **kwargs):

60

def __call__(self, *args, **kwargs):

61

from inspect import isfunction

61

from inspect import isfunction

62

formencode_obj = self.formencode_obj

62

formencode_obj = self.formencode_obj

63

if isfunction(formencode_obj):

63

if isfunction(formencode_obj):

64

# case we wrap validators into functions

64

# case we wrap validators into functions

65

formencode_obj = self.formencode_obj(*args, **kwargs)

65

formencode_obj = self.formencode_obj(*args, **kwargs)

66

return formencode_obj(*self.args, **self.kwargs)

66

return formencode_obj(*self.args, **self.kwargs)

67

68

69

class RhodeCodeAuthPluginBase(object):

69

class RhodeCodeAuthPluginBase(object):

70

# cache the authentication request for N amount of seconds. Some kind

70

# cache the authentication request for N amount of seconds. Some kind

71

# of authentication methods are very heavy and it's very efficient to cache

71

# of authentication methods are very heavy and it's very efficient to cache

72

# the result of a call. If it's set to None (default) cache is off

72

# the result of a call. If it's set to None (default) cache is off

73

AUTH_CACHE_TTL = None

73

AUTH_CACHE_TTL = None

74

AUTH_CACHE = {}

74

AUTH_CACHE = {}

75

76

auth_func_attrs = {

76

auth_func_attrs = {

77

"username": "unique username",

77

"username": "unique username",

78

"firstname": "first name",

78

"firstname": "first name",

79

"lastname": "last name",

79

"lastname": "last name",

80

"email": "email address",

80

"email": "email address",

81

"groups": '["list", "of", "groups"]',

81

"groups": '["list", "of", "groups"]',

82

"extern_name": "name in external source of record",

82

"extern_name": "name in external source of record",

83

"extern_type": "type of external source of record",

83

"extern_type": "type of external source of record",

84

"admin": 'True|False defines if user should be RhodeCode super admin',

84

"admin": 'True|False defines if user should be RhodeCode super admin',

85

"active":

85

"active":

86

'True|False defines active state of user internally for RhodeCode',

86

'True|False defines active state of user internally for RhodeCode',

87

"active_from_extern":

87

"active_from_extern":

88

"True|False\None, active state from the external auth, "

88

"True|False\None, active state from the external auth, "

89

"None means use definition from RhodeCode extern_type active value"

89

"None means use definition from RhodeCode extern_type active value"

90

}

90

}

91

# set on authenticate() method and via set_auth_type func.

91

# set on authenticate() method and via set_auth_type func.

92

auth_type = None

92

auth_type = None

93

94

# List of setting names to store encrypted. Plugins may override this list

94

# List of setting names to store encrypted. Plugins may override this list

95

# to store settings encrypted.

95

# to store settings encrypted.

96

_settings_encrypted = []

96

_settings_encrypted = []

97

98

# Mapping of python to DB settings model types. Plugins may override or

98

# Mapping of python to DB settings model types. Plugins may override or

99

# extend this mapping.

99

# extend this mapping.

100

_settings_type_map = {

100

_settings_type_map = {

101

colander.String: 'unicode',

101

colander.String: 'unicode',

102

colander.Integer: 'int',

102

colander.Integer: 'int',

103

colander.Boolean: 'bool',

103

colander.Boolean: 'bool',

104

colander.List: 'list',

104

colander.List: 'list',

105

}

105

}

106

107

def __init__(self, plugin_id):

107

def __init__(self, plugin_id):

108

self._plugin_id = plugin_id

108

self._plugin_id = plugin_id

109

110

def __str__(self):

110

def __str__(self):

111

return self.get_id()

111

return self.get_id()

112

113

def _get_setting_full_name(self, name):

113

def _get_setting_full_name(self, name):

114

"""

114

"""

115

Return the full setting name used for storing values in the database.

115

Return the full setting name used for storing values in the database.

116

"""

116

"""

117

# TODO: johbo: Using the name here is problematic. It would be good to

117

# TODO: johbo: Using the name here is problematic. It would be good to

118

# introduce either new models in the database to hold Plugin and

118

# introduce either new models in the database to hold Plugin and

119

# PluginSetting or to use the plugin id here.

119

# PluginSetting or to use the plugin id here.

120

return 'auth_{}_{}'.format(self.name, name)

120

return 'auth_{}_{}'.format(self.name, name)

121

122

def _get_setting_type(self, name):

122

def _get_setting_type(self, name):

123

"""

123

"""

124

Return the type of a setting. This type is defined by the SettingsModel

124

Return the type of a setting. This type is defined by the SettingsModel

125

and determines how the setting is stored in DB. Optionally the suffix

125

and determines how the setting is stored in DB. Optionally the suffix

126

`.encrypted` is appended to instruct SettingsModel to store it

126

`.encrypted` is appended to instruct SettingsModel to store it

127

encrypted.

127

encrypted.

128

"""

128

"""

129

schema_node = self.get_settings_schema().get(name)

129

schema_node = self.get_settings_schema().get(name)

130

db_type = self._settings_type_map.get(

130

db_type = self._settings_type_map.get(

131

type(schema_node.typ), 'unicode')

131

type(schema_node.typ), 'unicode')

132

if name in self._settings_encrypted:

132

if name in self._settings_encrypted:

133

db_type = '{}.encrypted'.format(db_type)

133

db_type = '{}.encrypted'.format(db_type)

134

return db_type

134

return db_type

135

136

def is_enabled(self):

136

def is_enabled(self):

137

"""

137

"""

138

Returns true if this plugin is enabled. An enabled plugin can be

138

Returns true if this plugin is enabled. An enabled plugin can be

139

configured in the admin interface but it is not consulted during

139

configured in the admin interface but it is not consulted during

140

authentication.

140

authentication.

141

"""

141

"""

142

auth_plugins = SettingsModel().get_auth_plugins()

142

auth_plugins = SettingsModel().get_auth_plugins()

143

return self.get_id() in auth_plugins

143

return self.get_id() in auth_plugins

144

145

def is_active(self):

145

def is_active(self):

146

"""

146

"""

147

Returns true if the plugin is activated. An activated plugin is

147

Returns true if the plugin is activated. An activated plugin is

148

consulted during authentication, assumed it is also enabled.

148

consulted during authentication, assumed it is also enabled.

149

"""

149

"""

150

return self.get_setting_by_name('enabled')

150

return self.get_setting_by_name('enabled')

151

152

def get_id(self):

152

def get_id(self):

153

"""

153

"""

154

Returns the plugin id.

154

Returns the plugin id.

155

"""

155

"""

156

return self._plugin_id

156

return self._plugin_id

157

158

def get_display_name(self):

158

def get_display_name(self):

159

"""

159

"""

160

Returns a translation string for displaying purposes.

160

Returns a translation string for displaying purposes.

161

"""

161

"""

162

raise NotImplementedError('Not implemented in base class')

162

raise NotImplementedError('Not implemented in base class')

163

164

def get_settings_schema(self):

164

def get_settings_schema(self):

165

"""

165

"""

166

Returns a colander schema, representing the plugin settings.

166

Returns a colander schema, representing the plugin settings.

167

"""

167

"""

168

return AuthnPluginSettingsSchemaBase()

168

return AuthnPluginSettingsSchemaBase()

169

170

def get_setting_by_name(self, name, default=None):

170

def get_setting_by_name(self, name, default=None):

171

"""

171

"""

172

Returns a plugin setting by name.

172

Returns a plugin setting by name.

173

"""

173

"""

174

full_name = self._get_setting_full_name(name)

174

full_name = self._get_setting_full_name(name)

175

db_setting = SettingsModel().get_setting_by_name(full_name)

175

db_setting = SettingsModel().get_setting_by_name(full_name)

176

return db_setting.app_settings_value if db_setting else default

176

return db_setting.app_settings_value if db_setting else default

177

178

def create_or_update_setting(self, name, value):

178

def create_or_update_setting(self, name, value):

179

"""

179

"""

180

Create or update a setting for this plugin in the persistent storage.

180

Create or update a setting for this plugin in the persistent storage.

181

"""

181

"""

182

full_name = self._get_setting_full_name(name)

182

full_name = self._get_setting_full_name(name)

183

type_ = self._get_setting_type(name)

183

type_ = self._get_setting_type(name)

184

db_setting = SettingsModel().create_or_update_setting(

184

db_setting = SettingsModel().create_or_update_setting(

185

full_name, value, type_)

185

full_name, value, type_)

186

return db_setting.app_settings_value

186

return db_setting.app_settings_value

187

188

def get_settings(self):

188

def get_settings(self):

189

"""

189

"""

190

Returns the plugin settings as dictionary.

190

Returns the plugin settings as dictionary.

191

"""

191

"""

192

settings = {}

192

settings = {}

193

for node in self.get_settings_schema():

193

for node in self.get_settings_schema():

194

settings[node.name] = self.get_setting_by_name(node.name)

194

settings[node.name] = self.get_setting_by_name(node.name)

195

return settings

195

return settings

196

197

@property

197

@property

198

def validators(self):

198

def validators(self):

199

"""

199

"""

200

Exposes RhodeCode validators modules

200

Exposes RhodeCode validators modules

201

"""

201

"""

202

# this is a hack to overcome issues with pylons threadlocals and

202

# this is a hack to overcome issues with pylons threadlocals and

203

# translator object _() not beein registered properly.

203

# translator object _() not beein registered properly.

204

class LazyCaller(object):

204

class LazyCaller(object):

205

def __init__(self, name):

205

def __init__(self, name):

206

self.validator_name = name

206

self.validator_name = name

207

208

def __call__(self, *args, **kwargs):

208

def __call__(self, *args, **kwargs):

209

from rhodecode.model import validators as v

209

from rhodecode.model import validators as v

210

obj = getattr(v, self.validator_name)

210

obj = getattr(v, self.validator_name)

211

# log.debug('Initializing lazy formencode object: %s', obj)

211

# log.debug('Initializing lazy formencode object: %s', obj)

212

return LazyFormencode(obj, *args, **kwargs)

212

return LazyFormencode(obj, *args, **kwargs)

213

214

class ProxyGet(object):

214

class ProxyGet(object):

215

def __getattribute__(self, name):

215

def __getattribute__(self, name):

216

return LazyCaller(name)

216

return LazyCaller(name)

217

218

return ProxyGet()

218

return ProxyGet()

219

220

@hybrid_property

220

@hybrid_property

221

def name(self):

221

def name(self):

222

"""

222

"""

223

Returns the name of this authentication plugin.

223

Returns the name of this authentication plugin.

224

225

:returns: string

225

:returns: string

226

"""

226

"""

227

raise NotImplementedError("Not implemented in base class")

227

raise NotImplementedError("Not implemented in base class")

228

229

@property

229

@property

230

def is_headers_auth(self):

230

def is_headers_auth(self):

231

"""

231

"""

232

Returns True if this authentication plugin uses HTTP headers as

232

Returns True if this authentication plugin uses HTTP headers as

233

authentication method.

233

authentication method.

234

"""

234

"""

235

return False

235

return False

236

237

@hybrid_property

237

@hybrid_property

238

def is_container_auth(self):

238

def is_container_auth(self):

239

"""

239

"""

240

Deprecated method that indicates if this authentication plugin uses

240

Deprecated method that indicates if this authentication plugin uses

241

HTTP headers as authentication method.

241

HTTP headers as authentication method.

242

"""

242

"""

243

warnings.warn(

243

warnings.warn(

244

'Use is_headers_auth instead.', category=DeprecationWarning)

244

'Use is_headers_auth instead.', category=DeprecationWarning)

245

return self.is_headers_auth

245

return self.is_headers_auth

246

247

@hybrid_property

247

@hybrid_property

248

def allows_creating_users(self):

248

def allows_creating_users(self):

249

"""

249

"""

250

Defines if Plugin allows users to be created on-the-fly when

250

Defines if Plugin allows users to be created on-the-fly when

251

authentication is called. Controls how external plugins should behave

251

authentication is called. Controls how external plugins should behave

252

in terms if they are allowed to create new users, or not. Base plugins

252

in terms if they are allowed to create new users, or not. Base plugins

253

should not be allowed to, but External ones should be !

253

should not be allowed to, but External ones should be !

254

255

:return: bool

255

:return: bool

256

"""

256

"""

257

return False

257

return False

258

259

def set_auth_type(self, auth_type):

259

def set_auth_type(self, auth_type):

260

self.auth_type = auth_type

260

self.auth_type = auth_type

261

262

def allows_authentication_from(

262

def allows_authentication_from(

263

self, user, allows_non_existing_user=True,

263

self, user, allows_non_existing_user=True,

264

allowed_auth_plugins=None, allowed_auth_sources=None):

264

allowed_auth_plugins=None, allowed_auth_sources=None):

265

"""

265

"""

266

Checks if this authentication module should accept a request for

266

Checks if this authentication module should accept a request for

267

the current user.

267

the current user.

268

269

:param user: user object fetched using plugin's get_user() method.

269

:param user: user object fetched using plugin's get_user() method.

270

:param allows_non_existing_user: if True, don't allow the

270

:param allows_non_existing_user: if True, don't allow the

271

user to be empty, meaning not existing in our database

271

user to be empty, meaning not existing in our database

272

:param allowed_auth_plugins: if provided, users extern_type will be

272

:param allowed_auth_plugins: if provided, users extern_type will be

273

checked against a list of provided extern types, which are plugin

273

checked against a list of provided extern types, which are plugin

274

auth_names in the end

274

auth_names in the end

275

:param allowed_auth_sources: authentication type allowed,

275

:param allowed_auth_sources: authentication type allowed,

276

`http` or `vcs` default is both.

276

`http` or `vcs` default is both.

277

defines if plugin will accept only http authentication vcs

277

defines if plugin will accept only http authentication vcs

278

authentication(git/hg) or both

278

authentication(git/hg) or both

279

:returns: boolean

279

:returns: boolean

280

"""

280

"""

281

if not user and not allows_non_existing_user:

281

if not user and not allows_non_existing_user:

282

log.debug('User is empty but plugin does not allow empty users,'

282

log.debug('User is empty but plugin does not allow empty users,'

283

'not allowed to authenticate')

283

'not allowed to authenticate')

284

return False

284

return False

285

286

expected_auth_plugins = allowed_auth_plugins or [self.name]

286

expected_auth_plugins = allowed_auth_plugins or [self.name]

287

if user and (user.extern_type and

287

if user and (user.extern_type and

288

user.extern_type not in expected_auth_plugins):

288

user.extern_type not in expected_auth_plugins):

289

log.debug(

289

log.debug(

290

'User `%s` is bound to `%s` auth type. Plugin allows only '

290

'User `%s` is bound to `%s` auth type. Plugin allows only '

291

'%s, skipping', user, user.extern_type, expected_auth_plugins)

291

'%s, skipping', user, user.extern_type, expected_auth_plugins)

292

293

return False

293

return False

294

295

# by default accept both

295

# by default accept both

296

expected_auth_from = allowed_auth_sources or [HTTP_TYPE, VCS_TYPE]

296

expected_auth_from = allowed_auth_sources or [HTTP_TYPE, VCS_TYPE]

297

if self.auth_type not in expected_auth_from:

297

if self.auth_type not in expected_auth_from:

298

log.debug('Current auth source is %s but plugin only allows %s',

298

log.debug('Current auth source is %s but plugin only allows %s',

299

self.auth_type, expected_auth_from)

299

self.auth_type, expected_auth_from)

300

return False

300

return False

301

302

return True

302

return True

303

304

def get_user(self, username=None, **kwargs):

304

def get_user(self, username=None, **kwargs):

305

"""

305

"""

306

Helper method for user fetching in plugins, by default it's using

306

Helper method for user fetching in plugins, by default it's using

307

simple fetch by username, but this method can be custimized in plugins

307

simple fetch by username, but this method can be custimized in plugins

308

eg. headers auth plugin to fetch user by environ params

308

eg. headers auth plugin to fetch user by environ params

309

310

:param username: username if given to fetch from database

310

:param username: username if given to fetch from database

311

:param kwargs: extra arguments needed for user fetching.

311

:param kwargs: extra arguments needed for user fetching.

312

"""

312

"""

313

user = None

313

user = None

314

log.debug(

314

log.debug(

315

'Trying to fetch user `%s` from RhodeCode database', username)

315

'Trying to fetch user `%s` from RhodeCode database', username)

316

if username:

316

if username:

317

user = User.get_by_username(username)

317

user = User.get_by_username(username)

318

if not user:

318

if not user:

319

log.debug('User not found, fallback to fetch user in '

319

log.debug('User not found, fallback to fetch user in '

320

'case insensitive mode')

320

'case insensitive mode')

321

user = User.get_by_username(username, case_insensitive=True)

321

user = User.get_by_username(username, case_insensitive=True)

322

else:

322

else:

323

log.debug('provided username:`%s` is empty skipping...', username)

323

log.debug('provided username:`%s` is empty skipping...', username)

324

if not user:

324

if not user:

325

log.debug('User `%s` not found in database', username)

325

log.debug('User `%s` not found in database', username)

326

return user

326

return user

327

328

def user_activation_state(self):

328

def user_activation_state(self):

329

"""

329

"""

330

Defines user activation state when creating new users

330

Defines user activation state when creating new users

331

332

:returns: boolean

332

:returns: boolean

333

"""

333

"""

334

raise NotImplementedError("Not implemented in base class")

334

raise NotImplementedError("Not implemented in base class")

335

336

def auth(self, userobj, username, passwd, settings, **kwargs):

336

def auth(self, userobj, username, passwd, settings, **kwargs):

337

"""

337

"""

338

Given a user object (which may be null), username, a plaintext

338

Given a user object (which may be null), username, a plaintext

339

password, and a settings object (containing all the keys needed as

339

password, and a settings object (containing all the keys needed as

340

listed in settings()), authenticate this user's login attempt.

340

listed in settings()), authenticate this user's login attempt.

341

342

Return None on failure. On success, return a dictionary of the form:

342

Return None on failure. On success, return a dictionary of the form:

343

344

see: RhodeCodeAuthPluginBase.auth_func_attrs

344

see: RhodeCodeAuthPluginBase.auth_func_attrs

345

This is later validated for correctness

345

This is later validated for correctness

346

"""

346

"""

347

raise NotImplementedError("not implemented in base class")

347

raise NotImplementedError("not implemented in base class")

348

349

def _authenticate(self, userobj, username, passwd, settings, **kwargs):

349

def _authenticate(self, userobj, username, passwd, settings, **kwargs):

350

"""

350

"""

351

Wrapper to call self.auth() that validates call on it

351

Wrapper to call self.auth() that validates call on it

352

353

:param userobj: userobj

353

:param userobj: userobj

354

:param username: username

354

:param username: username

355

:param passwd: plaintext password

355

:param passwd: plaintext password

356

:param settings: plugin settings

356

:param settings: plugin settings

357

"""

357

"""

358

auth = self.auth(userobj, username, passwd, settings, **kwargs)

358

auth = self.auth(userobj, username, passwd, settings, **kwargs)

359

if auth:

359

if auth:

360

# check if hash should be migrated ?

360

# check if hash should be migrated ?

361

new_hash = auth.get('_hash_migrate')

361

new_hash = auth.get('_hash_migrate')

362

if new_hash:

362

if new_hash:

363

self._migrate_hash_to_bcrypt(username, passwd, new_hash)

363

self._migrate_hash_to_bcrypt(username, passwd, new_hash)

364

return self._validate_auth_return(auth)

364

return self._validate_auth_return(auth)

365

return auth

365

return auth

366

367

def _migrate_hash_to_bcrypt(self, username, password, new_hash):

367

def _migrate_hash_to_bcrypt(self, username, password, new_hash):

368

new_hash_cypher = _RhodeCodeCryptoBCrypt()

368

new_hash_cypher = _RhodeCodeCryptoBCrypt()

369

# extra checks, so make sure new hash is correct.

369

# extra checks, so make sure new hash is correct.

370

password_encoded = safe_str(password)

370

password_encoded = safe_str(password)

371

if new_hash and new_hash_cypher.hash_check(

371

if new_hash and new_hash_cypher.hash_check(

372

password_encoded, new_hash):

372

password_encoded, new_hash):

373

cur_user = User.get_by_username(username)

373

cur_user = User.get_by_username(username)

374

cur_user.password = new_hash

374

cur_user.password = new_hash

375

Session().add(cur_user)

375

Session().add(cur_user)

376

Session().flush()

376

Session().flush()

377

log.info('Migrated user %s hash to bcrypt', cur_user)

377

log.info('Migrated user %s hash to bcrypt', cur_user)

378

379

def _validate_auth_return(self, ret):

379

def _validate_auth_return(self, ret):

380

if not isinstance(ret, dict):

380

if not isinstance(ret, dict):

381

raise Exception('returned value from auth must be a dict')

381

raise Exception('returned value from auth must be a dict')

382

for k in self.auth_func_attrs:

382

for k in self.auth_func_attrs:

383

if k not in ret:

383

if k not in ret:

384

raise Exception('Missing %s attribute from returned data' % k)

384

raise Exception('Missing %s attribute from returned data' % k)

385

return ret

385

return ret

386

387

388

class RhodeCodeExternalAuthPlugin(RhodeCodeAuthPluginBase):

388

class RhodeCodeExternalAuthPlugin(RhodeCodeAuthPluginBase):

389

390

@hybrid_property

390

@hybrid_property

391

def allows_creating_users(self):

391

def allows_creating_users(self):

392

return True

392

return True

393

394

def use_fake_password(self):

394

def use_fake_password(self):

395

"""

395

"""

396

Return a boolean that indicates whether or not we should set the user's

396

Return a boolean that indicates whether or not we should set the user's

397

password to a random value when it is authenticated by this plugin.

397

password to a random value when it is authenticated by this plugin.

398

If your plugin provides authentication, then you will generally

398

If your plugin provides authentication, then you will generally

399

want this.

399

want this.

400

401

:returns: boolean

401

:returns: boolean

402

"""

402

"""

403

raise NotImplementedError("Not implemented in base class")

403

raise NotImplementedError("Not implemented in base class")

404

405

def _authenticate(self, userobj, username, passwd, settings, **kwargs):

405

def _authenticate(self, userobj, username, passwd, settings, **kwargs):

406

# at this point _authenticate calls plugin's `auth()` function

406

# at this point _authenticate calls plugin's `auth()` function

407

auth = super(RhodeCodeExternalAuthPlugin, self)._authenticate(

407

auth = super(RhodeCodeExternalAuthPlugin, self)._authenticate(

408

userobj, username, passwd, settings, **kwargs)

408

userobj, username, passwd, settings, **kwargs)

409

if auth:

409

if auth:

410

# maybe plugin will clean the username ?

410

# maybe plugin will clean the username ?

411

# we should use the return value

411

# we should use the return value

412

username = auth['username']

412

username = auth['username']

413

414

# if external source tells us that user is not active, we should

414

# if external source tells us that user is not active, we should

415

# skip rest of the process. This can prevent from creating users in

415

# skip rest of the process. This can prevent from creating users in

416

# RhodeCode when using external authentication, but if it's

416

# RhodeCode when using external authentication, but if it's

417

# inactive user we shouldn't create that user anyway

417

# inactive user we shouldn't create that user anyway

418

if auth['active_from_extern'] is False:

418

if auth['active_from_extern'] is False:

419

log.warning(

419

log.warning(

420

"User %s authenticated against %s, but is inactive",

420

"User %s authenticated against %s, but is inactive",

421

username, self.__module__)

421

username, self.__module__)

422

return None

422

return None

423

424

cur_user = User.get_by_username(username, case_insensitive=True)

424

cur_user = User.get_by_username(username, case_insensitive=True)

425

is_user_existing = cur_user is not None

425

is_user_existing = cur_user is not None

426

427

if is_user_existing:

427

if is_user_existing:

428

log.debug('Syncing user `%s` from '

428

log.debug('Syncing user `%s` from '

429

'`%s` plugin', username, self.name)

429

'`%s` plugin', username, self.name)

430

else:

430

else:

431

log.debug('Creating non existing user `%s` from '

431

log.debug('Creating non existing user `%s` from '

432

'`%s` plugin', username, self.name)

432

'`%s` plugin', username, self.name)

433

434

if self.allows_creating_users:

434

if self.allows_creating_users:

435

log.debug('Plugin `%s` allows to '

435

log.debug('Plugin `%s` allows to '

436

'create new users', self.name)

436

'create new users', self.name)

437

else:

437

else:

438

log.debug('Plugin `%s` does not allow to '

438

log.debug('Plugin `%s` does not allow to '

439

'create new users', self.name)

439

'create new users', self.name)

440

441

user_parameters = {

441

user_parameters = {

442

'username': username,

442

'username': username,

443

'email': auth["email"],

443

'email': auth["email"],

444

'firstname': auth["firstname"],

444

'firstname': auth["firstname"],

445

'lastname': auth["lastname"],

445

'lastname': auth["lastname"],

446

'active': auth["active"],

446

'active': auth["active"],

447

'admin': auth["admin"],

447

'admin': auth["admin"],

448

'extern_name': auth["extern_name"],

448

'extern_name': auth["extern_name"],

449

'extern_type': self.name,

449

'extern_type': self.name,

450

'plugin': self,

450

'plugin': self,

451

'allow_to_create_user': self.allows_creating_users,

451

'allow_to_create_user': self.allows_creating_users,

452

}

452

}

453

454

if not is_user_existing:

454

if not is_user_existing:

455

if self.use_fake_password():

455

if self.use_fake_password():

456

# Randomize the PW because we don't need it, but don't want

456

# Randomize the PW because we don't need it, but don't want

457

# them blank either

457

# them blank either

458

passwd = PasswordGenerator().gen_password(length=16)

458

passwd = PasswordGenerator().gen_password(length=16)

459

user_parameters['password'] = passwd

459

user_parameters['password'] = passwd

460

else:

460

else:

461

# Since the password is required by create_or_update method of

461

# Since the password is required by create_or_update method of

462

# UserModel, we need to set it explicitly.

462

# UserModel, we need to set it explicitly.

463

# The create_or_update method is smart and recognises the

463

# The create_or_update method is smart and recognises the

464

# password hashes as well.

464

# password hashes as well.

465

user_parameters['password'] = cur_user.password

465

user_parameters['password'] = cur_user.password

466

467

# we either create or update users, we also pass the flag

467

# we either create or update users, we also pass the flag

468

# that controls if this method can actually do that.

468

# that controls if this method can actually do that.

469

# raises NotAllowedToCreateUserError if it cannot, and we try to.

469

# raises NotAllowedToCreateUserError if it cannot, and we try to.

470

user = UserModel().create_or_update(**user_parameters)

470

user = UserModel().create_or_update(**user_parameters)

471

Session().flush()

471

Session().flush()

472

# enforce user is just in given groups, all of them has to be ones

472

# enforce user is just in given groups, all of them has to be ones

473

# created from plugins. We store this info in _group_data JSON

473

# created from plugins. We store this info in _group_data JSON

474

# field

474

# field

475

try:

475

try:

476

groups = auth['groups'] or []

476

groups = auth['groups'] or []

477

UserGroupModel().enforce_groups(user, groups, self.name)

477

UserGroupModel().enforce_groups(user, groups, self.name)

478

except Exception:

478

except Exception:

479

# for any reason group syncing fails, we should

479

# for any reason group syncing fails, we should

480

# proceed with login

480

# proceed with login

481

log.error(traceback.format_exc())

481

log.error(traceback.format_exc())

482

Session().commit()

482

Session().commit()

483

return auth

483

return auth

484

485

486

def loadplugin(plugin_id):

486

def loadplugin(plugin_id):

487

"""

487

"""

488

Loads and returns an instantiated authentication plugin.

488

Loads and returns an instantiated authentication plugin.

489

Returns the RhodeCodeAuthPluginBase subclass on success,

489

Returns the RhodeCodeAuthPluginBase subclass on success,

490

or None on failure.

490

or None on failure.

491

"""

491

"""

492

# TODO: Disusing pyramids thread locals to retrieve the registry.

492

# TODO: Disusing pyramids thread locals to retrieve the registry.

493

authn_registry = get_authn_registry()

493

authn_registry = get_authn_registry()

494

plugin = authn_registry.get_plugin(plugin_id)

494

plugin = authn_registry.get_plugin(plugin_id)

495

if plugin is None:

495

if plugin is None:

496

log.error('Authentication plugin not found: "%s"', plugin_id)

496

log.error('Authentication plugin not found: "%s"', plugin_id)

497

return plugin

497

return plugin

498

499

500

def get_authn_registry(registry=None):

500

def get_authn_registry(registry=None):

501

registry = registry or get_current_registry()

501

registry = registry or get_current_registry()

502

authn_registry = registry.getUtility(IAuthnPluginRegistry)

502

authn_registry = registry.getUtility(IAuthnPluginRegistry)

503

return authn_registry

503

return authn_registry

504

505

506

def get_auth_cache_manager(custom_ttl=None):

506

def get_auth_cache_manager(custom_ttl=None):

507

return caches.get_cache_manager(

507

return caches.get_cache_manager(

508

'auth_plugins', 'rhodecode.authentication', custom_ttl)

508

'auth_plugins', 'rhodecode.authentication', custom_ttl)

509

510

511

def authenticate(username, password, environ=None, auth_type=None,

511

def authenticate(username, password, environ=None, auth_type=None,

512

skip_missing=False):

512

skip_missing=False):

513

"""

513

"""

514

Authentication function used for access control,

514

Authentication function used for access control,

515

It tries to authenticate based on enabled authentication modules.

515

It tries to authenticate based on enabled authentication modules.

516

517

:param username: username can be empty for headers auth

517

:param username: username can be empty for headers auth

518

:param password: password can be empty for headers auth

518

:param password: password can be empty for headers auth

519

:param environ: environ headers passed for headers auth

519

:param environ: environ headers passed for headers auth

520

:param auth_type: type of authentication, either `HTTP_TYPE` or `VCS_TYPE`

520

:param auth_type: type of authentication, either `HTTP_TYPE` or `VCS_TYPE`

521

:param skip_missing: ignores plugins that are in db but not in environment

521

:param skip_missing: ignores plugins that are in db but not in environment

522

:returns: None if auth failed, plugin_user dict if auth is correct

522

:returns: None if auth failed, plugin_user dict if auth is correct

523

"""

523

"""

524

if not auth_type or auth_type not in [HTTP_TYPE, VCS_TYPE]:

524

if not auth_type or auth_type not in [HTTP_TYPE, VCS_TYPE]:

525

raise ValueError('auth type must be on of http, vcs got "%s" instead'

525

raise ValueError('auth type must be on of http, vcs got "%s" instead'

526

% auth_type)

526

% auth_type)

527

headers_only = environ and not (username and password)

527

headers_only = environ and not (username and password)

528

529

authn_registry = get_authn_registry()

529

authn_registry = get_authn_registry()

530

for plugin in authn_registry.get_plugins_for_authentication():

530

for plugin in authn_registry.get_plugins_for_authentication():

531

plugin.set_auth_type(auth_type)

531

plugin.set_auth_type(auth_type)

532

user = plugin.get_user(username)

532

user = plugin.get_user(username)

533

display_user = user.username if user else username

533

display_user = user.username if user else username

534

535

if headers_only and not plugin.is_headers_auth:

535

if headers_only and not plugin.is_headers_auth:

536

log.debug('Auth type is for headers only and plugin `%s` is not '

536

log.debug('Auth type is for headers only and plugin `%s` is not '

537

'headers plugin, skipping...', plugin.get_id())

537

'headers plugin, skipping...', plugin.get_id())

538

continue

538

continue

539

540

# load plugin settings from RhodeCode database

540

# load plugin settings from RhodeCode database

541

plugin_settings = plugin.get_settings()

541

plugin_settings = plugin.get_settings()

542

log.debug('Plugin settings:%s', plugin_settings)

542

log.debug('Plugin settings:%s', plugin_settings)

543

544

log.debug('Trying authentication using ** %s **', plugin.get_id())

544

log.debug('Trying authentication using ** %s **', plugin.get_id())

545

# use plugin's method of user extraction.

545

# use plugin's method of user extraction.

546

user = plugin.get_user(username, environ=environ,

546

user = plugin.get_user(username, environ=environ,

547

settings=plugin_settings)

547

settings=plugin_settings)

548

display_user = user.username if user else username

548

display_user = user.username if user else username

549

log.debug(

549

log.debug(

550

'Plugin %s extracted user is `%s`', plugin.get_id(), display_user)

550

'Plugin %s extracted user is `%s`', plugin.get_id(), display_user)

551

552

if not plugin.allows_authentication_from(user):

552

if not plugin.allows_authentication_from(user):

553

log.debug('Plugin %s does not accept user `%s` for authentication',

553

log.debug('Plugin %s does not accept user `%s` for authentication',

554

plugin.get_id(), display_user)

554

plugin.get_id(), display_user)

555

continue

555

continue

556

else:

556

else:

557

log.debug('Plugin %s accepted user `%s` for authentication',

557

log.debug('Plugin %s accepted user `%s` for authentication',

558

plugin.get_id(), display_user)

558

plugin.get_id(), display_user)

559

560

log.info('Authenticating user `%s` using %s plugin',

560

log.info('Authenticating user `%s` using %s plugin',

561

display_user, plugin.get_id())

561

display_user, plugin.get_id())

562

563

_cache_ttl = 0

563

_cache_ttl = 0

564

565

if isinstance(plugin.AUTH_CACHE_TTL, (int, long)):

565

if isinstance(plugin.AUTH_CACHE_TTL, (int, long)):

566

# plugin cache set inside is more important than the settings value

566

# plugin cache set inside is more important than the settings value

567

_cache_ttl = plugin.AUTH_CACHE_TTL

567

_cache_ttl = plugin.AUTH_CACHE_TTL

568

elif plugin_settings.get('auth_cache_ttl'):

568

elif plugin_settings.get('auth_cache_ttl'):

569

_cache_ttl = safe_int(plugin_settings.get('auth_cache_ttl'), 0)

569

_cache_ttl = safe_int(plugin_settings.get('auth_cache_ttl'), 0)

570

571

plugin_cache_active = bool(_cache_ttl and _cache_ttl > 0)

571

plugin_cache_active = bool(_cache_ttl and _cache_ttl > 0)

572

573

# get instance of cache manager configured for a namespace

573

# get instance of cache manager configured for a namespace

574

cache_manager = get_auth_cache_manager(custom_ttl=_cache_ttl)

574

cache_manager = get_auth_cache_manager(custom_ttl=_cache_ttl)

575

576

log.debug('~~Cache~~ for plugin `%s` active: %s', ~~plugin~~.~~get_id(),~~

576

log.debug('AUTH_CACHE_TTL for plugin `%s` active: %s (TTL: %s)',

577

plugin_cache_active)

577

plugin.get_id(), plugin_cache_active, _cache_ttl)

578

579

# for environ based password can be empty, but then the validation is

579

# for environ based password can be empty, but then the validation is

580

# on the server that fills in the env data needed for authentication

580

# on the server that fills in the env data needed for authentication

581

_password_hash = md5_safe(plugin.name + username + (password or ''))

581

_password_hash = md5_safe(plugin.name + username + (password or ''))

582

583

# _authenticate is a wrapper for .auth() method of plugin.

583

# _authenticate is a wrapper for .auth() method of plugin.

584

# it checks if .auth() sends proper data.

584

# it checks if .auth() sends proper data.

585

# For RhodeCodeExternalAuthPlugin it also maps users to

585

# For RhodeCodeExternalAuthPlugin it also maps users to

586

# Database and maps the attributes returned from .auth()

586

# Database and maps the attributes returned from .auth()

587

# to RhodeCode database. If this function returns data

587

# to RhodeCode database. If this function returns data

588

# then auth is correct.

588

# then auth is correct.

589

start = time.time()

589

start = time.time()

590

log.debug('Running plugin `%s` _authenticate method',

590

log.debug('Running plugin `%s` _authenticate method', plugin.get_id())

591

plugin.get_id())

592

591

593

def auth_func():

592

def auth_func():

594

"""

593

"""

595

This function is used internally in Cache of Beaker to calculate

594

This function is used internally in Cache of Beaker to calculate

596

Results

595

Results

597

"""

596

"""

598

return plugin._authenticate(

597

return plugin._authenticate(

599

user, username, password, plugin_settings,

598

user, username, password, plugin_settings,

600

environ=environ or {})

599

environ=environ or {})

601

600

602

if plugin_cache_active:

601

if plugin_cache_active:

603

plugin_user = cache_manager.get(

602

plugin_user = cache_manager.get(

604

_password_hash, createfunc=auth_func)

603

_password_hash, createfunc=auth_func)

605

else:

604

else:

606

plugin_user = auth_func()

605

plugin_user = auth_func()

607

606

608

auth_time = time.time() - start

607

auth_time = time.time() - start

609

log.debug('Authentication for plugin `%s` completed in %.3fs, '

608

log.debug('Authentication for plugin `%s` completed in %.3fs, '

610

'expiration time of fetched cache %.1fs.',

609

'expiration time of fetched cache %.1fs.',

611

plugin.get_id(), auth_time, _cache_ttl)

610

plugin.get_id(), auth_time, _cache_ttl)

612

611

613

log.debug('PLUGIN USER DATA: %s', plugin_user)

612

log.debug('PLUGIN USER DATA: %s', plugin_user)

614

613

615

if plugin_user:

614

if plugin_user:

616

log.debug('Plugin returned proper authentication data')

615

log.debug('Plugin returned proper authentication data')

617

return plugin_user

616

return plugin_user

618

# we failed to Auth because .auth() method didn't return proper user

617

# we failed to Auth because .auth() method didn't return proper user

619

log.debug("User `%s` failed to authenticate against %s",

618

log.debug("User `%s` failed to authenticate against %s",

620

display_user, plugin.get_id())

619

display_user, plugin.get_id())

621

return None

620

return None

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2016  RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             Authentication modules
             """
             import colander
             import logging
             import time
             import traceback
             import warnings
             from pyramid.threadlocal import get_current_registry
             from sqlalchemy.ext.hybrid import hybrid_property
             from rhodecode.authentication.interface import IAuthnPluginRegistry
             from rhodecode.authentication.schema import AuthnPluginSettingsSchemaBase
             from rhodecode.lib import caches
             from rhodecode.lib.auth import PasswordGenerator, _RhodeCodeCryptoBCrypt
             from rhodecode.lib.utils2 import md5_safe, safe_int
             from rhodecode.lib.utils2 import safe_str
             from rhodecode.model.db import User
             from rhodecode.model.meta import Session
             from rhodecode.model.settings import SettingsModel
             from rhodecode.model.user import UserModel
             from rhodecode.model.user_group import UserGroupModel
             log = logging.getLogger(__name__)
             # auth types that authenticate() function can receive
             VCS_TYPE = 'vcs'
             HTTP_TYPE = 'http'
             class LazyFormencode(object):
                 def __init__(self, formencode_obj, *args, **kwargs):
                     self.formencode_obj = formencode_obj
                     self.args = args
                     self.kwargs = kwargs
                 def __call__(self, *args, **kwargs):
                     from inspect import isfunction
                     formencode_obj = self.formencode_obj
                     if isfunction(formencode_obj):
                         # case we wrap validators into functions
                         formencode_obj = self.formencode_obj(*args, **kwargs)
                     return formencode_obj(*self.args, **self.kwargs)
             class RhodeCodeAuthPluginBase(object):
                 # cache the authentication request for N amount of seconds. Some kind
                 # of authentication methods are very heavy and it's very efficient to cache
                 # the result of a call. If it's set to None (default) cache is off
                 AUTH_CACHE_TTL = None
                 AUTH_CACHE = {}
                 auth_func_attrs = {
                     "username": "unique username",
                     "firstname": "first name",
                     "lastname": "last name",
                     "email": "email address",
                     "groups": '["list", "of", "groups"]',
                     "extern_name": "name in external source of record",
                     "extern_type": "type of external source of record",
                     "admin": 'True|False defines if user should be RhodeCode super admin',
                     "active":
                         'True|False defines active state of user internally for RhodeCode',
                     "active_from_extern":
                         "True|False\None, active state from the external auth, "
                         "None means use definition from RhodeCode extern_type active value"
                 }
                 # set on authenticate() method and via set_auth_type func.
                 auth_type = None
                 # List of setting names to store encrypted. Plugins may override this list
                 # to store settings encrypted.
                 _settings_encrypted = []
                 # Mapping of python to DB settings model types. Plugins may override or
                 # extend this mapping.
                 _settings_type_map = {
                     colander.String: 'unicode',
                     colander.Integer: 'int',
                     colander.Boolean: 'bool',
                     colander.List: 'list',
                 }
                 def __init__(self, plugin_id):
                     self._plugin_id = plugin_id
                 def __str__(self):
                     return self.get_id()
                 def _get_setting_full_name(self, name):
                     """
                     Return the full setting name used for storing values in the database.
                     """
                     # TODO: johbo: Using the name here is problematic. It would be good to
                     # introduce either new models in the database to hold Plugin and
                     # PluginSetting or to use the plugin id here.
                     return 'auth_{}_{}'.format(self.name, name)
                 def _get_setting_type(self, name):
                     """
                     Return the type of a setting. This type is defined by the SettingsModel
                     and determines how the setting is stored in DB. Optionally the suffix
                     `.encrypted` is appended to instruct SettingsModel to store it
                     encrypted.
                     """
                     schema_node = self.get_settings_schema().get(name)
                     db_type = self._settings_type_map.get(
                         type(schema_node.typ), 'unicode')
                     if name in self._settings_encrypted:
                         db_type = '{}.encrypted'.format(db_type)
                     return db_type
                 def is_enabled(self):
                     """
                     Returns true if this plugin is enabled. An enabled plugin can be
                     configured in the admin interface but it is not consulted during
                     authentication.
                     """
                     auth_plugins = SettingsModel().get_auth_plugins()
                     return self.get_id() in auth_plugins
                 def is_active(self):
                     """
                     Returns true if the plugin is activated. An activated plugin is
                     consulted during authentication, assumed it is also enabled.
                     """
                     return self.get_setting_by_name('enabled')
                 def get_id(self):
                     """
                     Returns the plugin id.
                     """
                     return self._plugin_id
                 def get_display_name(self):
                     """
                     Returns a translation string for displaying purposes.
                     """
                     raise NotImplementedError('Not implemented in base class')
                 def get_settings_schema(self):
                     """
                     Returns a colander schema, representing the plugin settings.
                     """
                     return AuthnPluginSettingsSchemaBase()
                 def get_setting_by_name(self, name, default=None):
                     """
                     Returns a plugin setting by name.
                     """
                     full_name = self._get_setting_full_name(name)
                     db_setting = SettingsModel().get_setting_by_name(full_name)
                     return db_setting.app_settings_value if db_setting else default
                 def create_or_update_setting(self, name, value):
                     """
                     Create or update a setting for this plugin in the persistent storage.
                     """
                     full_name = self._get_setting_full_name(name)
                     type_ = self._get_setting_type(name)
                     db_setting = SettingsModel().create_or_update_setting(
                         full_name, value, type_)
                     return db_setting.app_settings_value
                 def get_settings(self):
                     """
                     Returns the plugin settings as dictionary.
                     """
                     settings = {}
                     for node in self.get_settings_schema():
                         settings[node.name] = self.get_setting_by_name(node.name)
                     return settings
                 @property
                 def validators(self):
                     """
                     Exposes RhodeCode validators modules
                     """
                     # this is a hack to overcome issues with pylons threadlocals and
                     # translator object _() not beein registered properly.
                     class LazyCaller(object):
                         def __init__(self, name):
                             self.validator_name = name
                         def __call__(self, *args, **kwargs):
                             from rhodecode.model import validators as v
                             obj = getattr(v, self.validator_name)
                             # log.debug('Initializing lazy formencode object: %s', obj)
                             return LazyFormencode(obj, *args, **kwargs)
                     class ProxyGet(object):
                         def __getattribute__(self, name):
                             return LazyCaller(name)
                     return ProxyGet()
                 @hybrid_property
                 def name(self):
                     """
                     Returns the name of this authentication plugin.
                     :returns: string
                     """
                     raise NotImplementedError("Not implemented in base class")
                 @property
                 def is_headers_auth(self):
                     """
                     Returns True if this authentication plugin uses HTTP headers as
                     authentication method.
                     """
                     return False
                 @hybrid_property
                 def is_container_auth(self):
                     """
                     Deprecated method that indicates if this authentication plugin uses
                     HTTP headers as authentication method.
                     """
                     warnings.warn(
                         'Use is_headers_auth instead.', category=DeprecationWarning)
                     return self.is_headers_auth
                 @hybrid_property
                 def allows_creating_users(self):
                     """
                     Defines if Plugin allows users to be created on-the-fly when
                     authentication is called. Controls how external plugins should behave
                     in terms if they are allowed to create new users, or not. Base plugins
                     should not be allowed to, but External ones should be !
                     :return: bool
                     """
                     return False
                 def set_auth_type(self, auth_type):
                     self.auth_type = auth_type
                 def allows_authentication_from(
                         self, user, allows_non_existing_user=True,
                         allowed_auth_plugins=None, allowed_auth_sources=None):
                     """
                     Checks if this authentication module should accept a request for
                     the current user.
                     :param user: user object fetched using plugin's get_user() method.
                     :param allows_non_existing_user: if True, don't allow the
                         user to be empty, meaning not existing in our database
                     :param allowed_auth_plugins: if provided, users extern_type will be
                         checked against a list of provided extern types, which are plugin
                         auth_names in the end
                     :param allowed_auth_sources: authentication type allowed,
                         `http` or `vcs` default is both.
                         defines if plugin will accept only http authentication vcs
                         authentication(git/hg) or both
                     :returns: boolean
                     """
                     if not user and not allows_non_existing_user:
                         log.debug('User is empty but plugin does not allow empty users,'
                                   'not allowed to authenticate')
                         return False
                     expected_auth_plugins = allowed_auth_plugins or [self.name]
                     if user and (user.extern_type and
                                  user.extern_type not in expected_auth_plugins):
                         log.debug(
                             'User `%s` is bound to `%s` auth type. Plugin allows only '
                             '%s, skipping', user, user.extern_type, expected_auth_plugins)
                         return False
                     # by default accept both
                     expected_auth_from = allowed_auth_sources or [HTTP_TYPE, VCS_TYPE]
                     if self.auth_type not in expected_auth_from:
                         log.debug('Current auth source is %s but plugin only allows %s',
                                   self.auth_type, expected_auth_from)
                         return False
                     return True
                 def get_user(self, username=None, **kwargs):
                     """
                     Helper method for user fetching in plugins, by default it's using
                     simple fetch by username, but this method can be custimized in plugins
                     eg. headers auth plugin to fetch user by environ params
                     :param username: username if given to fetch from database
                     :param kwargs: extra arguments needed for user fetching.
                     """
                     user = None
                     log.debug(
                         'Trying to fetch user `%s` from RhodeCode database', username)
                     if username:
                         user = User.get_by_username(username)
                         if not user:
                             log.debug('User not found, fallback to fetch user in '
                                       'case insensitive mode')
                             user = User.get_by_username(username, case_insensitive=True)
                     else:
                         log.debug('provided username:`%s` is empty skipping...', username)
                     if not user:
                         log.debug('User `%s` not found in database', username)
                     return user
                 def user_activation_state(self):
                     """
                     Defines user activation state when creating new users
                     :returns: boolean
                     """
                     raise NotImplementedError("Not implemented in base class")
                 def auth(self, userobj, username, passwd, settings, **kwargs):
                     """
                     Given a user object (which may be null), username, a plaintext
                     password, and a settings object (containing all the keys needed as
                     listed in settings()), authenticate this user's login attempt.
                     Return None on failure. On success, return a dictionary of the form:
                         see: RhodeCodeAuthPluginBase.auth_func_attrs
                     This is later validated for correctness
                     """
                     raise NotImplementedError("not implemented in base class")
                 def _authenticate(self, userobj, username, passwd, settings, **kwargs):
                     """
                     Wrapper to call self.auth() that validates call on it
                     :param userobj: userobj
                     :param username: username
                     :param passwd: plaintext password
                     :param settings: plugin settings
                     """
                     auth = self.auth(userobj, username, passwd, settings, **kwargs)
                     if auth:
                         # check if hash should be migrated ?
                         new_hash = auth.get('_hash_migrate')
                         if new_hash:
                             self._migrate_hash_to_bcrypt(username, passwd, new_hash)
                         return self._validate_auth_return(auth)
                     return auth
                 def _migrate_hash_to_bcrypt(self, username, password, new_hash):
                     new_hash_cypher = _RhodeCodeCryptoBCrypt()
                     # extra checks, so make sure new hash is correct.
                     password_encoded = safe_str(password)
                     if new_hash and new_hash_cypher.hash_check(
                             password_encoded, new_hash):
                         cur_user = User.get_by_username(username)
                         cur_user.password = new_hash
                         Session().add(cur_user)
                         Session().flush()
                         log.info('Migrated user %s hash to bcrypt', cur_user)
                 def _validate_auth_return(self, ret):
                     if not isinstance(ret, dict):
                         raise Exception('returned value from auth must be a dict')
                     for k in self.auth_func_attrs:
                         if k not in ret:
                             raise Exception('Missing %s attribute from returned data' % k)
                     return ret
             class RhodeCodeExternalAuthPlugin(RhodeCodeAuthPluginBase):
                 @hybrid_property
                 def allows_creating_users(self):
                     return True
                 def use_fake_password(self):
                     """
                     Return a boolean that indicates whether or not we should set the user's
                     password to a random value when it is authenticated by this plugin.
                     If your plugin provides authentication, then you will generally
                     want this.
                     :returns: boolean
                     """
                     raise NotImplementedError("Not implemented in base class")
                 def _authenticate(self, userobj, username, passwd, settings, **kwargs):
                     # at this point _authenticate calls plugin's `auth()` function
                     auth = super(RhodeCodeExternalAuthPlugin, self)._authenticate(
                         userobj, username, passwd, settings, **kwargs)
                     if auth:
                         # maybe plugin will clean the username ?
                         # we should use the return value
                         username = auth['username']
                         # if external source tells us that user is not active, we should
                         # skip rest of the process. This can prevent from creating users in
                         # RhodeCode when using external authentication, but if it's
                         # inactive user we shouldn't create that user anyway
                         if auth['active_from_extern'] is False:
                             log.warning(
                                 "User %s authenticated against %s, but is inactive",
                                 username, self.__module__)
                             return None
                         cur_user = User.get_by_username(username, case_insensitive=True)
                         is_user_existing = cur_user is not None
                         if is_user_existing:
                             log.debug('Syncing user `%s` from '
                                       '`%s` plugin', username, self.name)
                         else:
                             log.debug('Creating non existing user `%s` from '
                                       '`%s` plugin', username, self.name)
                         if self.allows_creating_users:
                             log.debug('Plugin `%s` allows to '
                                       'create new users', self.name)
                         else:
                             log.debug('Plugin `%s` does not allow to '
                                       'create new users', self.name)
                         user_parameters = {
                             'username': username,
                             'email': auth["email"],
                             'firstname': auth["firstname"],
                             'lastname': auth["lastname"],
                             'active': auth["active"],
                             'admin': auth["admin"],
                             'extern_name': auth["extern_name"],
                             'extern_type': self.name,
                             'plugin': self,
                             'allow_to_create_user': self.allows_creating_users,
                         }
                         if not is_user_existing:
                             if self.use_fake_password():
                                 # Randomize the PW because we don't need it, but don't want
                                 # them blank either
                                 passwd = PasswordGenerator().gen_password(length=16)
                             user_parameters['password'] = passwd
                         else:
                             # Since the password is required by create_or_update method of
                             # UserModel, we need to set it explicitly.
                             # The create_or_update method is smart and recognises the
                             # password hashes as well.
                             user_parameters['password'] = cur_user.password
                         # we either create or update users, we also pass the flag
                         # that controls if this method can actually do that.
                         # raises NotAllowedToCreateUserError if it cannot, and we try to.
                         user = UserModel().create_or_update(**user_parameters)
                         Session().flush()
                         # enforce user is just in given groups, all of them has to be ones
                         # created from plugins. We store this info in _group_data JSON
                         # field
                         try:
                             groups = auth['groups'] or []
                             UserGroupModel().enforce_groups(user, groups, self.name)
                         except Exception:
                             # for any reason group syncing fails, we should
                             # proceed with login
                             log.error(traceback.format_exc())
                         Session().commit()
                     return auth
             def loadplugin(plugin_id):
                 """
                 Loads and returns an instantiated authentication plugin.
                 Returns the RhodeCodeAuthPluginBase subclass on success,
                 or None on failure.
                 """
                 # TODO: Disusing pyramids thread locals to retrieve the registry.
                 authn_registry = get_authn_registry()
                 plugin = authn_registry.get_plugin(plugin_id)
                 if plugin is None:
                     log.error('Authentication plugin not found: "%s"', plugin_id)
                 return plugin
             def get_authn_registry(registry=None):
                 registry = registry or get_current_registry()
                 authn_registry = registry.getUtility(IAuthnPluginRegistry)
                 return authn_registry
             def get_auth_cache_manager(custom_ttl=None):
                 return caches.get_cache_manager(
                     'auth_plugins', 'rhodecode.authentication', custom_ttl)
             def authenticate(username, password, environ=None, auth_type=None,
                              skip_missing=False):
                 """
                 Authentication function used for access control,
                 It tries to authenticate based on enabled authentication modules.
                 :param username: username can be empty for headers auth
                 :param password: password can be empty for headers auth
                 :param environ: environ headers passed for headers auth
                 :param auth_type: type of authentication, either `HTTP_TYPE` or `VCS_TYPE`
                 :param skip_missing: ignores plugins that are in db but not in environment
                 :returns: None if auth failed, plugin_user dict if auth is correct
                 """
                 if not auth_type or auth_type not in [HTTP_TYPE, VCS_TYPE]:
                     raise ValueError('auth type must be on of http, vcs got "%s" instead'
                                      % auth_type)
                 headers_only = environ and not (username and password)
                 authn_registry = get_authn_registry()
                 for plugin in authn_registry.get_plugins_for_authentication():
                     plugin.set_auth_type(auth_type)
                     user = plugin.get_user(username)
                     display_user = user.username if user else username
                     if headers_only and not plugin.is_headers_auth:
                         log.debug('Auth type is for headers only and plugin `%s` is not '
                                   'headers plugin, skipping...', plugin.get_id())
                         continue
                     # load plugin settings from RhodeCode database
                     plugin_settings = plugin.get_settings()
                     log.debug('Plugin settings:%s', plugin_settings)
                     log.debug('Trying authentication using ** %s **', plugin.get_id())
                     # use plugin's method of user extraction.
                     user = plugin.get_user(username, environ=environ,
                                            settings=plugin_settings)
                     display_user = user.username if user else username
                     log.debug(
                         'Plugin %s extracted user is `%s`', plugin.get_id(), display_user)
                     if not plugin.allows_authentication_from(user):
                         log.debug('Plugin %s does not accept user `%s` for authentication',
                                   plugin.get_id(), display_user)
                         continue
                     else:
                         log.debug('Plugin %s accepted user `%s` for authentication',
                                   plugin.get_id(), display_user)
                     log.info('Authenticating user `%s` using %s plugin',
                              display_user, plugin.get_id())
                     _cache_ttl = 0
                     if isinstance(plugin.AUTH_CACHE_TTL, (int, long)):
                         # plugin cache set inside is more important than the settings value
                         _cache_ttl = plugin.AUTH_CACHE_TTL
                     elif plugin_settings.get('auth_cache_ttl'):
                         _cache_ttl = safe_int(plugin_settings.get('auth_cache_ttl'), 0)
                     plugin_cache_active = bool(_cache_ttl and _cache_ttl > 0)
                     # get instance of cache manager configured for a namespace
                     cache_manager = get_auth_cache_manager(custom_ttl=_cache_ttl)
-                    log.debug('Cache for plugin `%s` active: %s', plugin.get_id(),
+                    log.debug('AUTH_CACHE_TTL for plugin `%s` active: %s (TTL: %s)',
-                              plugin_cache_active)
+                              plugin.get_id(), plugin_cache_active, _cache_ttl)
                     # for environ based password can be empty, but then the validation is
                     # on the server that fills in the env data needed for authentication
                     _password_hash = md5_safe(plugin.name + username + (password or ''))
                     # _authenticate is a wrapper for .auth() method of plugin.
                     # it checks if .auth() sends proper data.
                     # For RhodeCodeExternalAuthPlugin it also maps users to
                     # Database and maps the attributes returned from .auth()
                     # to RhodeCode database. If this function returns data
                     # then auth is correct.
                     start = time.time()
-                    log.debug('Running plugin `%s` _authenticate method',
+                    log.debug('Running plugin `%s` _authenticate method', plugin.get_id())
-                              plugin.get_id())
                     def auth_func():
                         """
                         This function is used internally in Cache of Beaker to calculate
                         Results
                         """
                         return plugin._authenticate(
                             user, username, password, plugin_settings,
                             environ=environ or {})
                     if plugin_cache_active:
                         plugin_user = cache_manager.get(
                             _password_hash, createfunc=auth_func)
                     else:
                         plugin_user = auth_func()
                     auth_time = time.time() - start
                     log.debug('Authentication for plugin `%s` completed in %.3fs, '
                               'expiration time of fetched cache %.1fs.',
                               plugin.get_id(), auth_time, _cache_ttl)
                     log.debug('PLUGIN USER DATA: %s', plugin_user)
                     if plugin_user:
                         log.debug('Plugin returned proper authentication data')
                         return plugin_user
                     # we failed to Auth because .auth() method didn't return proper user
                     log.debug("User `%s` failed to authenticate against %s",
                               display_user, plugin.get_id())
                 return None