Show More
@@ -0,0 +1,223 b'' | |||||
|
1 | # -*- coding: utf-8 -*- | |||
|
2 | ||||
|
3 | # Copyright (C) 2012-2016 RhodeCode GmbH | |||
|
4 | # | |||
|
5 | # This program is free software: you can redistribute it and/or modify | |||
|
6 | # it under the terms of the GNU Affero General Public License, version 3 | |||
|
7 | # (only), as published by the Free Software Foundation. | |||
|
8 | # | |||
|
9 | # This program is distributed in the hope that it will be useful, | |||
|
10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of | |||
|
11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |||
|
12 | # GNU General Public License for more details. | |||
|
13 | # | |||
|
14 | # You should have received a copy of the GNU Affero General Public License | |||
|
15 | # along with this program. If not, see <http://www.gnu.org/licenses/>. | |||
|
16 | # | |||
|
17 | # This program is dual-licensed. If you wish to learn more about the | |||
|
18 | # RhodeCode Enterprise Edition, including its added features, Support services, | |||
|
19 | # and proprietary license terms, please see https://rhodecode.com/licenses/ | |||
|
20 | ||||
|
21 | import colander | |||
|
22 | import logging | |||
|
23 | ||||
|
24 | from sqlalchemy.ext.hybrid import hybrid_property | |||
|
25 | ||||
|
26 | from rhodecode.authentication.base import RhodeCodeExternalAuthPlugin | |||
|
27 | from rhodecode.authentication.schema import AuthnPluginSettingsSchemaBase | |||
|
28 | from rhodecode.authentication.routes import AuthnPluginResourceBase | |||
|
29 | from rhodecode.lib.colander_utils import strip_whitespace | |||
|
30 | from rhodecode.lib.utils2 import str2bool, safe_unicode | |||
|
31 | from rhodecode.model.db import User | |||
|
32 | from rhodecode.translation import _ | |||
|
33 | ||||
|
34 | ||||
|
35 | log = logging.getLogger(__name__) | |||
|
36 | ||||
|
37 | ||||
|
38 | def plugin_factory(plugin_id, *args, **kwds): | |||
|
39 | """ | |||
|
40 | Factory function that is called during plugin discovery. | |||
|
41 | It returns the plugin instance. | |||
|
42 | """ | |||
|
43 | plugin = RhodeCodeAuthPlugin(plugin_id) | |||
|
44 | return plugin | |||
|
45 | ||||
|
46 | ||||
|
47 | class HeadersAuthnResource(AuthnPluginResourceBase): | |||
|
48 | pass | |||
|
49 | ||||
|
50 | ||||
|
51 | class HeadersSettingsSchema(AuthnPluginSettingsSchemaBase): | |||
|
52 | header = colander.SchemaNode( | |||
|
53 | colander.String(), | |||
|
54 | default='REMOTE_USER', | |||
|
55 | description=_('Header to extract the user from'), | |||
|
56 | preparer=strip_whitespace, | |||
|
57 | title=_('Header'), | |||
|
58 | widget='string') | |||
|
59 | fallback_header = colander.SchemaNode( | |||
|
60 | colander.String(), | |||
|
61 | default='HTTP_X_FORWARDED_USER', | |||
|
62 | description=_('Header to extract the user from when main one fails'), | |||
|
63 | preparer=strip_whitespace, | |||
|
64 | title=_('Fallback header'), | |||
|
65 | widget='string') | |||
|
66 | clean_username = colander.SchemaNode( | |||
|
67 | colander.Boolean(), | |||
|
68 | default=True, | |||
|
69 | description=_('Perform cleaning of user, if passed user has @ in ' | |||
|
70 | 'username then first part before @ is taken. ' | |||
|
71 | 'If there\'s \\ in the username only the part after ' | |||
|
72 | ' \\ is taken'), | |||
|
73 | missing=False, | |||
|
74 | title=_('Clean username'), | |||
|
75 | widget='bool') | |||
|
76 | ||||
|
77 | ||||
|
78 | class RhodeCodeAuthPlugin(RhodeCodeExternalAuthPlugin): | |||
|
79 | ||||
|
80 | def includeme(self, config): | |||
|
81 | config.add_authn_plugin(self) | |||
|
82 | config.add_authn_resource(self.get_id(), HeadersAuthnResource(self)) | |||
|
83 | config.add_view( | |||
|
84 | 'rhodecode.authentication.views.AuthnPluginViewBase', | |||
|
85 | attr='settings_get', | |||
|
86 | request_method='GET', | |||
|
87 | route_name='auth_home', | |||
|
88 | context=HeadersAuthnResource) | |||
|
89 | config.add_view( | |||
|
90 | 'rhodecode.authentication.views.AuthnPluginViewBase', | |||
|
91 | attr='settings_post', | |||
|
92 | request_method='POST', | |||
|
93 | route_name='auth_home', | |||
|
94 | context=HeadersAuthnResource) | |||
|
95 | ||||
|
96 | def get_display_name(self): | |||
|
97 | return _('Headers') | |||
|
98 | ||||
|
99 | def get_settings_schema(self): | |||
|
100 | return HeadersSettingsSchema() | |||
|
101 | ||||
|
102 | @hybrid_property | |||
|
103 | def name(self): | |||
|
104 | return 'headers' | |||
|
105 | ||||
|
106 | @hybrid_property | |||
|
107 | def is_container_auth(self): | |||
|
108 | return True | |||
|
109 | ||||
|
110 | def use_fake_password(self): | |||
|
111 | return True | |||
|
112 | ||||
|
113 | def user_activation_state(self): | |||
|
114 | def_user_perms = User.get_default_user().AuthUser.permissions['global'] | |||
|
115 | return 'hg.extern_activate.auto' in def_user_perms | |||
|
116 | ||||
|
117 | def _clean_username(self, username): | |||
|
118 | # Removing realm and domain from username | |||
|
119 | username = username.split('@')[0] | |||
|
120 | username = username.rsplit('\\')[-1] | |||
|
121 | return username | |||
|
122 | ||||
|
123 | def _get_username(self, environ, settings): | |||
|
124 | username = None | |||
|
125 | environ = environ or {} | |||
|
126 | if not environ: | |||
|
127 | log.debug('got empty environ: %s' % environ) | |||
|
128 | ||||
|
129 | settings = settings or {} | |||
|
130 | if settings.get('header'): | |||
|
131 | header = settings.get('header') | |||
|
132 | username = environ.get(header) | |||
|
133 | log.debug('extracted %s:%s' % (header, username)) | |||
|
134 | ||||
|
135 | # fallback mode | |||
|
136 | if not username and settings.get('fallback_header'): | |||
|
137 | header = settings.get('fallback_header') | |||
|
138 | username = environ.get(header) | |||
|
139 | log.debug('extracted %s:%s' % (header, username)) | |||
|
140 | ||||
|
141 | if username and str2bool(settings.get('clean_username')): | |||
|
142 | log.debug('Received username `%s` from headers' % username) | |||
|
143 | username = self._clean_username(username) | |||
|
144 | log.debug('New cleanup user is:%s' % username) | |||
|
145 | return username | |||
|
146 | ||||
|
147 | def get_user(self, username=None, **kwargs): | |||
|
148 | """ | |||
|
149 | Helper method for user fetching in plugins, by default it's using | |||
|
150 | simple fetch by username, but this method can be custimized in plugins | |||
|
151 | eg. headers auth plugin to fetch user by environ params | |||
|
152 | :param username: username if given to fetch | |||
|
153 | :param kwargs: extra arguments needed for user fetching. | |||
|
154 | """ | |||
|
155 | environ = kwargs.get('environ') or {} | |||
|
156 | settings = kwargs.get('settings') or {} | |||
|
157 | username = self._get_username(environ, settings) | |||
|
158 | # we got the username, so use default method now | |||
|
159 | return super(RhodeCodeAuthPlugin, self).get_user(username) | |||
|
160 | ||||
|
161 | def auth(self, userobj, username, password, settings, **kwargs): | |||
|
162 | """ | |||
|
163 | Get's the headers_auth username (or email). It tries to get username | |||
|
164 | from REMOTE_USER if this plugin is enabled, if that fails | |||
|
165 | it tries to get username from HTTP_X_FORWARDED_USER if fallback header | |||
|
166 | is set. clean_username extracts the username from this data if it's | |||
|
167 | having @ in it. | |||
|
168 | Return None on failure. On success, return a dictionary of the form: | |||
|
169 | ||||
|
170 | see: RhodeCodeAuthPluginBase.auth_func_attrs | |||
|
171 | ||||
|
172 | :param userobj: | |||
|
173 | :param username: | |||
|
174 | :param password: | |||
|
175 | :param settings: | |||
|
176 | :param kwargs: | |||
|
177 | """ | |||
|
178 | environ = kwargs.get('environ') | |||
|
179 | if not environ: | |||
|
180 | log.debug('Empty environ data skipping...') | |||
|
181 | return None | |||
|
182 | ||||
|
183 | if not userobj: | |||
|
184 | userobj = self.get_user('', environ=environ, settings=settings) | |||
|
185 | ||||
|
186 | # we don't care passed username/password for headers auth plugins. | |||
|
187 | # only way to log in is using environ | |||
|
188 | username = None | |||
|
189 | if userobj: | |||
|
190 | username = getattr(userobj, 'username') | |||
|
191 | ||||
|
192 | if not username: | |||
|
193 | # we don't have any objects in DB user doesn't exist extrac username | |||
|
194 | # from environ based on the settings | |||
|
195 | username = self._get_username(environ, settings) | |||
|
196 | ||||
|
197 | # if cannot fetch username, it's a no-go for this plugin to proceed | |||
|
198 | if not username: | |||
|
199 | return None | |||
|
200 | ||||
|
201 | # old attrs fetched from RhodeCode database | |||
|
202 | admin = getattr(userobj, 'admin', False) | |||
|
203 | active = getattr(userobj, 'active', True) | |||
|
204 | email = getattr(userobj, 'email', '') | |||
|
205 | firstname = getattr(userobj, 'firstname', '') | |||
|
206 | lastname = getattr(userobj, 'lastname', '') | |||
|
207 | extern_type = getattr(userobj, 'extern_type', '') | |||
|
208 | ||||
|
209 | user_attrs = { | |||
|
210 | 'username': username, | |||
|
211 | 'firstname': safe_unicode(firstname or username), | |||
|
212 | 'lastname': safe_unicode(lastname or ''), | |||
|
213 | 'groups': [], | |||
|
214 | 'email': email or '', | |||
|
215 | 'admin': admin or False, | |||
|
216 | 'active': active, | |||
|
217 | 'active_from_extern': True, | |||
|
218 | 'extern_name': username, | |||
|
219 | 'extern_type': extern_type, | |||
|
220 | } | |||
|
221 | ||||
|
222 | log.info('user `%s` authenticated correctly' % user_attrs['username']) | |||
|
223 | return user_attrs |
@@ -213,8 +213,8 b' setup(' | |||||
213 | paster_plugins=['PasteScript', 'Pylons'], |
|
213 | paster_plugins=['PasteScript', 'Pylons'], | |
214 | entry_points={ |
|
214 | entry_points={ | |
215 | 'enterprise.plugins1': [ |
|
215 | 'enterprise.plugins1': [ | |
216 | 'container=rhodecode.authentication.plugins.auth_container:plugin_factory', |
|
|||
217 | 'crowd=rhodecode.authentication.plugins.auth_crowd:plugin_factory', |
|
216 | 'crowd=rhodecode.authentication.plugins.auth_crowd:plugin_factory', | |
|
217 | 'headers=rhodecode.authentication.plugins.auth_headers:plugin_factory', | |||
218 | 'jasig_cas=rhodecode.authentication.plugins.auth_jasig_cas:plugin_factory', |
|
218 | 'jasig_cas=rhodecode.authentication.plugins.auth_jasig_cas:plugin_factory', | |
219 | 'ldap=rhodecode.authentication.plugins.auth_ldap:plugin_factory', |
|
219 | 'ldap=rhodecode.authentication.plugins.auth_ldap:plugin_factory', | |
220 | 'pam=rhodecode.authentication.plugins.auth_pam:plugin_factory', |
|
220 | 'pam=rhodecode.authentication.plugins.auth_pam:plugin_factory', |
1 | NO CONTENT: file was removed |
|
NO CONTENT: file was removed |
General Comments 0
You need to be logged in to leave comments.
Login now