rhodecode-enterprise-ce Commit - r2154:574d07a8

auth: use cache_ttl from a plugin to also cache permissions....

marcink -

r2154:574d07a8 default

parent child

The requested changes are too big and content was truncated. Show full diff

rhodecode/authentication/base.py

0 +33 -14

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             Authentication modules
             """
             import colander
             import copy
             import logging
             import time
             import traceback
             import warnings
             import functools
             from pyramid.threadlocal import get_current_registry
             from zope.cachedescriptors.property import Lazy as LazyProperty
             from rhodecode.authentication.interface import IAuthnPluginRegistry
             from rhodecode.authentication.schema import AuthnPluginSettingsSchemaBase
             from rhodecode.lib import caches
             from rhodecode.lib.auth import PasswordGenerator, _RhodeCodeCryptoBCrypt
-            from rhodecode.lib.utils2 import md5_safe, safe_int
+            from rhodecode.lib.utils2 import safe_int
             from rhodecode.lib.utils2 import safe_str
             from rhodecode.model.db import User
             from rhodecode.model.meta import Session
             from rhodecode.model.settings import SettingsModel
             from rhodecode.model.user import UserModel
             from rhodecode.model.user_group import UserGroupModel
             log = logging.getLogger(__name__)
             # auth types that authenticate() function can receive
             VCS_TYPE = 'vcs'
             HTTP_TYPE = 'http'
             class hybrid_property(object):
                 """
                 a property decorator that works both for instance and class
                 """
                 def __init__(self, fget, fset=None, fdel=None, expr=None):
                     self.fget = fget
                     self.fset = fset
                     self.fdel = fdel
                     self.expr = expr or fget
                     functools.update_wrapper(self, fget)
                 def __get__(self, instance, owner):
                     if instance is None:
                         return self.expr(owner)
                     else:
                         return self.fget(instance)
                 def __set__(self, instance, value):
                     self.fset(instance, value)
                 def __delete__(self, instance):
                     self.fdel(instance)
             class LazyFormencode(object):
                 def __init__(self, formencode_obj, *args, **kwargs):
                     self.formencode_obj = formencode_obj
                     self.args = args
                     self.kwargs = kwargs
                 def __call__(self, *args, **kwargs):
                     from inspect import isfunction
                     formencode_obj = self.formencode_obj
                     if isfunction(formencode_obj):
                         # case we wrap validators into functions
                         formencode_obj = self.formencode_obj(*args, **kwargs)
                     return formencode_obj(*self.args, **self.kwargs)
             class RhodeCodeAuthPluginBase(object):
                 # cache the authentication request for N amount of seconds. Some kind
                 # of authentication methods are very heavy and it's very efficient to cache
                 # the result of a call. If it's set to None (default) cache is off
                 AUTH_CACHE_TTL = None
                 AUTH_CACHE = {}
                 auth_func_attrs = {
                     "username": "unique username",
                     "firstname": "first name",
                     "lastname": "last name",
                     "email": "email address",
                     "groups": '["list", "of", "groups"]',
                     "extern_name": "name in external source of record",
                     "extern_type": "type of external source of record",
                     "admin": 'True|False defines if user should be RhodeCode super admin',
                     "active":
                         'True|False defines active state of user internally for RhodeCode',
                     "active_from_extern":
                         "True|False\None, active state from the external auth, "
                         "None means use definition from RhodeCode extern_type active value"
                 }
                 # set on authenticate() method and via set_auth_type func.
                 auth_type = None
                 # set on authenticate() method and via set_calling_scope_repo, this is a
                 # calling scope repository when doing authentication most likely on VCS
                 # operations
                 acl_repo_name = None
                 # List of setting names to store encrypted. Plugins may override this list
                 # to store settings encrypted.
                 _settings_encrypted = []
                 # Mapping of python to DB settings model types. Plugins may override or
                 # extend this mapping.
                 _settings_type_map = {
                     colander.String: 'unicode',
                     colander.Integer: 'int',
                     colander.Boolean: 'bool',
                     colander.List: 'list',
                 }
                 # list of keys in settings that are unsafe to be logged, should be passwords
                 # or other crucial credentials
                 _settings_unsafe_keys = []
                 def __init__(self, plugin_id):
                     self._plugin_id = plugin_id
                 def __str__(self):
                     return self.get_id()
                 def _get_setting_full_name(self, name):
                     """
                     Return the full setting name used for storing values in the database.
                     """
                     # TODO: johbo: Using the name here is problematic. It would be good to
                     # introduce either new models in the database to hold Plugin and
                     # PluginSetting or to use the plugin id here.
                     return 'auth_{}_{}'.format(self.name, name)
                 def _get_setting_type(self, name):
                     """
                     Return the type of a setting. This type is defined by the SettingsModel
                     and determines how the setting is stored in DB. Optionally the suffix
                     `.encrypted` is appended to instruct SettingsModel to store it
                     encrypted.
                     """
                     schema_node = self.get_settings_schema().get(name)
                     db_type = self._settings_type_map.get(
                         type(schema_node.typ), 'unicode')
                     if name in self._settings_encrypted:
                         db_type = '{}.encrypted'.format(db_type)
                     return db_type
                 @LazyProperty
                 def plugin_settings(self):
                     settings = SettingsModel().get_all_settings()
                     return settings
                 def is_enabled(self):
                     """
                     Returns true if this plugin is enabled. An enabled plugin can be
                     configured in the admin interface but it is not consulted during
                     authentication.
                     """
                     auth_plugins = SettingsModel().get_auth_plugins()
                     return self.get_id() in auth_plugins
                 def is_active(self):
                     """
                     Returns true if the plugin is activated. An activated plugin is
                     consulted during authentication, assumed it is also enabled.
                     """
                     return self.get_setting_by_name('enabled')
                 def get_id(self):
                     """
                     Returns the plugin id.
                     """
                     return self._plugin_id
                 def get_display_name(self):
                     """
                     Returns a translation string for displaying purposes.
                     """
                     raise NotImplementedError('Not implemented in base class')
                 def get_settings_schema(self):
                     """
                     Returns a colander schema, representing the plugin settings.
                     """
                     return AuthnPluginSettingsSchemaBase()
                 def get_setting_by_name(self, name, default=None):
                     """
                     Returns a plugin setting by name.
                     """
                     full_name = 'rhodecode_{}'.format(self._get_setting_full_name(name))
                     plugin_settings = self.plugin_settings
                     return plugin_settings.get(full_name) or default
                 def create_or_update_setting(self, name, value):
                     """
                     Create or update a setting for this plugin in the persistent storage.
                     """
                     full_name = self._get_setting_full_name(name)
                     type_ = self._get_setting_type(name)
                     db_setting = SettingsModel().create_or_update_setting(
                         full_name, value, type_)
                     return db_setting.app_settings_value
                 def get_settings(self):
                     """
                     Returns the plugin settings as dictionary.
                     """
                     settings = {}
                     for node in self.get_settings_schema():
                         settings[node.name] = self.get_setting_by_name(node.name)
                     return settings
                 def log_safe_settings(self, settings):
                     """
                     returns a log safe representation of settings, without any secrets
                     """
                     settings_copy = copy.deepcopy(settings)
                     for k in self._settings_unsafe_keys:
                         if k in settings_copy:
                             del settings_copy[k]
                     return settings_copy
                 @property
                 def validators(self):
                     """
                     Exposes RhodeCode validators modules
                     """
                     # this is a hack to overcome issues with pylons threadlocals and
                     # translator object _() not being registered properly.
                     class LazyCaller(object):
                         def __init__(self, name):
                             self.validator_name = name
                         def __call__(self, *args, **kwargs):
                             from rhodecode.model import validators as v
                             obj = getattr(v, self.validator_name)
                             # log.debug('Initializing lazy formencode object: %s', obj)
                             return LazyFormencode(obj, *args, **kwargs)
                     class ProxyGet(object):
                         def __getattribute__(self, name):
                             return LazyCaller(name)
                     return ProxyGet()
                 @hybrid_property
                 def name(self):
                     """
                     Returns the name of this authentication plugin.
                     :returns: string
                     """
                     raise NotImplementedError("Not implemented in base class")
                 def get_url_slug(self):
                     """
                     Returns a slug which should be used when constructing URLs which refer
                     to this plugin. By default it returns the plugin name. If the name is
                     not suitable for using it in an URL the plugin should override this
                     method.
                     """
                     return self.name
                 @property
                 def is_headers_auth(self):
                     """
                     Returns True if this authentication plugin uses HTTP headers as
                     authentication method.
                     """
                     return False
                 @hybrid_property
                 def is_container_auth(self):
                     """
                     Deprecated method that indicates if this authentication plugin uses
                     HTTP headers as authentication method.
                     """
                     warnings.warn(
                         'Use is_headers_auth instead.', category=DeprecationWarning)
                     return self.is_headers_auth
                 @hybrid_property
                 def allows_creating_users(self):
                     """
                     Defines if Plugin allows users to be created on-the-fly when
                     authentication is called. Controls how external plugins should behave
                     in terms if they are allowed to create new users, or not. Base plugins
                     should not be allowed to, but External ones should be !
                     :return: bool
                     """
                     return False
                 def set_auth_type(self, auth_type):
                     self.auth_type = auth_type
                 def set_calling_scope_repo(self, acl_repo_name):
                     self.acl_repo_name = acl_repo_name
                 def allows_authentication_from(
                         self, user, allows_non_existing_user=True,
                         allowed_auth_plugins=None, allowed_auth_sources=None):
                     """
                     Checks if this authentication module should accept a request for
                     the current user.
                     :param user: user object fetched using plugin's get_user() method.
                     :param allows_non_existing_user: if True, don't allow the
                         user to be empty, meaning not existing in our database
                     :param allowed_auth_plugins: if provided, users extern_type will be
                         checked against a list of provided extern types, which are plugin
                         auth_names in the end
                     :param allowed_auth_sources: authentication type allowed,
                         `http` or `vcs` default is both.
                         defines if plugin will accept only http authentication vcs
                         authentication(git/hg) or both
                     :returns: boolean
                     """
                     if not user and not allows_non_existing_user:
                         log.debug('User is empty but plugin does not allow empty users,'
                                   'not allowed to authenticate')
                         return False
                     expected_auth_plugins = allowed_auth_plugins or [self.name]
                     if user and (user.extern_type and
                                  user.extern_type not in expected_auth_plugins):
                         log.debug(
                             'User `%s` is bound to `%s` auth type. Plugin allows only '
                             '%s, skipping', user, user.extern_type, expected_auth_plugins)
                         return False
                     # by default accept both
                     expected_auth_from = allowed_auth_sources or [HTTP_TYPE, VCS_TYPE]
                     if self.auth_type not in expected_auth_from:
                         log.debug('Current auth source is %s but plugin only allows %s',
                                   self.auth_type, expected_auth_from)
                         return False
                     return True
                 def get_user(self, username=None, **kwargs):
                     """
                     Helper method for user fetching in plugins, by default it's using
                     simple fetch by username, but this method can be custimized in plugins
                     eg. headers auth plugin to fetch user by environ params
                     :param username: username if given to fetch from database
                     :param kwargs: extra arguments needed for user fetching.
                     """
                     user = None
                     log.debug(
                         'Trying to fetch user `%s` from RhodeCode database', username)
                     if username:
                         user = User.get_by_username(username)
                         if not user:
                             log.debug('User not found, fallback to fetch user in '
                                       'case insensitive mode')
                             user = User.get_by_username(username, case_insensitive=True)
                     else:
                         log.debug('provided username:`%s` is empty skipping...', username)
                     if not user:
                         log.debug('User `%s` not found in database', username)
                     else:
                         log.debug('Got DB user:%s', user)
                     return user
                 def user_activation_state(self):
                     """
                     Defines user activation state when creating new users
                     :returns: boolean
                     """
                     raise NotImplementedError("Not implemented in base class")
                 def auth(self, userobj, username, passwd, settings, **kwargs):
                     """
                     Given a user object (which may be null), username, a plaintext
                     password, and a settings object (containing all the keys needed as
                     listed in settings()), authenticate this user's login attempt.
                     Return None on failure. On success, return a dictionary of the form:
                         see: RhodeCodeAuthPluginBase.auth_func_attrs
                     This is later validated for correctness
                     """
                     raise NotImplementedError("not implemented in base class")
                 def _authenticate(self, userobj, username, passwd, settings, **kwargs):
                     """
                     Wrapper to call self.auth() that validates call on it
                     :param userobj: userobj
                     :param username: username
                     :param passwd: plaintext password
                     :param settings: plugin settings
                     """
                     auth = self.auth(userobj, username, passwd, settings, **kwargs)
                     if auth:
+                        auth['_plugin'] = self.name
+                        auth['_ttl_cache'] = self.get_ttl_cache(settings)
                         # check if hash should be migrated ?
                         new_hash = auth.get('_hash_migrate')
                         if new_hash:
                             self._migrate_hash_to_bcrypt(username, passwd, new_hash)
                         return self._validate_auth_return(auth)
                     return auth
                 def _migrate_hash_to_bcrypt(self, username, password, new_hash):
                     new_hash_cypher = _RhodeCodeCryptoBCrypt()
                     # extra checks, so make sure new hash is correct.
                     password_encoded = safe_str(password)
                     if new_hash and new_hash_cypher.hash_check(
                             password_encoded, new_hash):
                         cur_user = User.get_by_username(username)
                         cur_user.password = new_hash
                         Session().add(cur_user)
                         Session().flush()
                         log.info('Migrated user %s hash to bcrypt', cur_user)
                 def _validate_auth_return(self, ret):
                     if not isinstance(ret, dict):
                         raise Exception('returned value from auth must be a dict')
                     for k in self.auth_func_attrs:
                         if k not in ret:
                             raise Exception('Missing %s attribute from returned data' % k)
                     return ret
+                def get_ttl_cache(self, settings=None):
+                    plugin_settings = settings or self.get_settings()
+                    cache_ttl = 0
+                    if isinstance(self.AUTH_CACHE_TTL, (int, long)):
+                        # plugin cache set inside is more important than the settings value
+                        cache_ttl = self.AUTH_CACHE_TTL
+                    elif plugin_settings.get('cache_ttl'):
+                        cache_ttl = safe_int(plugin_settings.get('cache_ttl'), 0)
+                    plugin_cache_active = bool(cache_ttl and cache_ttl > 0)
+                    return plugin_cache_active, cache_ttl
             class RhodeCodeExternalAuthPlugin(RhodeCodeAuthPluginBase):
                 @hybrid_property
                 def allows_creating_users(self):
                     return True
                 def use_fake_password(self):
                     """
                     Return a boolean that indicates whether or not we should set the user's
                     password to a random value when it is authenticated by this plugin.
                     If your plugin provides authentication, then you will generally
                     want this.
                     :returns: boolean
                     """
                     raise NotImplementedError("Not implemented in base class")
                 def _authenticate(self, userobj, username, passwd, settings, **kwargs):
                     # at this point _authenticate calls plugin's `auth()` function
                     auth = super(RhodeCodeExternalAuthPlugin, self)._authenticate(
                         userobj, username, passwd, settings, **kwargs)
                     if auth:
                         # maybe plugin will clean the username ?
                         # we should use the return value
                         username = auth['username']
                         # if external source tells us that user is not active, we should
                         # skip rest of the process. This can prevent from creating users in
                         # RhodeCode when using external authentication, but if it's
                         # inactive user we shouldn't create that user anyway
                         if auth['active_from_extern'] is False:
                             log.warning(
                                 "User %s authenticated against %s, but is inactive",
                                 username, self.__module__)
                             return None
                         cur_user = User.get_by_username(username, case_insensitive=True)
                         is_user_existing = cur_user is not None
                         if is_user_existing:
                             log.debug('Syncing user `%s` from '
                                       '`%s` plugin', username, self.name)
                         else:
                             log.debug('Creating non existing user `%s` from '
                                       '`%s` plugin', username, self.name)
                         if self.allows_creating_users:
                             log.debug('Plugin `%s` allows to '
                                       'create new users', self.name)
                         else:
                             log.debug('Plugin `%s` does not allow to '
                                       'create new users', self.name)
                         user_parameters = {
                             'username': username,
                             'email': auth["email"],
                             'firstname': auth["firstname"],
                             'lastname': auth["lastname"],
                             'active': auth["active"],
                             'admin': auth["admin"],
                             'extern_name': auth["extern_name"],
                             'extern_type': self.name,
                             'plugin': self,
                             'allow_to_create_user': self.allows_creating_users,
                         }
                         if not is_user_existing:
                             if self.use_fake_password():
                                 # Randomize the PW because we don't need it, but don't want
                                 # them blank either
                                 passwd = PasswordGenerator().gen_password(length=16)
                             user_parameters['password'] = passwd
                         else:
                             # Since the password is required by create_or_update method of
                             # UserModel, we need to set it explicitly.
                             # The create_or_update method is smart and recognises the
                             # password hashes as well.
                             user_parameters['password'] = cur_user.password
                         # we either create or update users, we also pass the flag
                         # that controls if this method can actually do that.
                         # raises NotAllowedToCreateUserError if it cannot, and we try to.
                         user = UserModel().create_or_update(**user_parameters)
                         Session().flush()
                         # enforce user is just in given groups, all of them has to be ones
                         # created from plugins. We store this info in _group_data JSON
                         # field
                         try:
                             groups = auth['groups'] or []
                             log.debug(
                                 'Performing user_group sync based on set `%s` '
                                 'returned by this plugin', groups)
                             UserGroupModel().enforce_groups(user, groups, self.name)
                         except Exception:
                             # for any reason group syncing fails, we should
                             # proceed with login
                             log.error(traceback.format_exc())
                         Session().commit()
                     return auth
             def loadplugin(plugin_id):
                 """
                 Loads and returns an instantiated authentication plugin.
                 Returns the RhodeCodeAuthPluginBase subclass on success,
                 or None on failure.
                 """
                 # TODO: Disusing pyramids thread locals to retrieve the registry.
                 authn_registry = get_authn_registry()
                 plugin = authn_registry.get_plugin(plugin_id)
                 if plugin is None:
                     log.error('Authentication plugin not found: "%s"', plugin_id)
                 return plugin
             def get_authn_registry(registry=None):
                 registry = registry or get_current_registry()
                 authn_registry = registry.getUtility(IAuthnPluginRegistry)
                 return authn_registry
             def get_auth_cache_manager(custom_ttl=None):
                 return caches.get_cache_manager(
                     'auth_plugins', 'rhodecode.authentication', custom_ttl)
+            def get_perms_cache_manager(custom_ttl=None):
+                return caches.get_cache_manager(
+                    'auth_plugins', 'rhodecode.permissions', custom_ttl)
             def authenticate(username, password, environ=None, auth_type=None,
                              skip_missing=False, registry=None, acl_repo_name=None):
                 """
                 Authentication function used for access control,
                 It tries to authenticate based on enabled authentication modules.
                 :param username: username can be empty for headers auth
                 :param password: password can be empty for headers auth
                 :param environ: environ headers passed for headers auth
                 :param auth_type: type of authentication, either `HTTP_TYPE` or `VCS_TYPE`
                 :param skip_missing: ignores plugins that are in db but not in environment
                 :returns: None if auth failed, plugin_user dict if auth is correct
                 """
                 if not auth_type or auth_type not in [HTTP_TYPE, VCS_TYPE]:
                     raise ValueError('auth type must be on of http, vcs got "%s" instead'
                                      % auth_type)
                 headers_only = environ and not (username and password)
                 authn_registry = get_authn_registry(registry)
                 plugins_to_check = authn_registry.get_plugins_for_authentication()
                 log.debug('Starting ordered authentication chain using %s plugins',
                           plugins_to_check)
                 for plugin in plugins_to_check:
                     plugin.set_auth_type(auth_type)
                     plugin.set_calling_scope_repo(acl_repo_name)
                     if headers_only and not plugin.is_headers_auth:
                         log.debug('Auth type is for headers only and plugin `%s` is not '
                                   'headers plugin, skipping...', plugin.get_id())
                         continue
                     # load plugin settings from RhodeCode database
                     plugin_settings = plugin.get_settings()
                     plugin_sanitized_settings = plugin.log_safe_settings(plugin_settings)
                     log.debug('Plugin settings:%s', plugin_sanitized_settings)
                     log.debug('Trying authentication using ** %s **', plugin.get_id())
                     # use plugin's method of user extraction.
                     user = plugin.get_user(username, environ=environ,
                                            settings=plugin_settings)
                     display_user = user.username if user else username
                     log.debug(
                         'Plugin %s extracted user is `%s`', plugin.get_id(), display_user)
                     if not plugin.allows_authentication_from(user):
                         log.debug('Plugin %s does not accept user `%s` for authentication',
                                   plugin.get_id(), display_user)
                         continue
                     else:
                         log.debug('Plugin %s accepted user `%s` for authentication',
                                   plugin.get_id(), display_user)
                     log.info('Authenticating user `%s` using %s plugin',
                              display_user, plugin.get_id())
-                    _cache_ttl = 0
+                    plugin_cache_active, cache_ttl = plugin.get_ttl_cache(plugin_settings)
-                    if isinstance(plugin.AUTH_CACHE_TTL, (int, long)):
-                        # plugin cache set inside is more important than the settings value
-                        _cache_ttl = plugin.AUTH_CACHE_TTL
-                    elif plugin_settings.get('cache_ttl'):
-                        _cache_ttl = safe_int(plugin_settings.get('cache_ttl'), 0)
-                    plugin_cache_active = bool(_cache_ttl and _cache_ttl > 0)
                     # get instance of cache manager configured for a namespace
-                    cache_manager = get_auth_cache_manager(custom_ttl=_cache_ttl)
+                    cache_manager = get_auth_cache_manager(custom_ttl=cache_ttl)
                     log.debug('AUTH_CACHE_TTL for plugin `%s` active: %s (TTL: %s)',
-                              plugin.get_id(), plugin_cache_active, _cache_ttl)
+                              plugin.get_id(), plugin_cache_active, cache_ttl)
                     # for environ based password can be empty, but then the validation is
                     # on the server that fills in the env data needed for authentication
-                    _password_hash = md5_safe(plugin.name + username + (password or ''))
+                    _password_hash = caches.compute_key_from_params(
+                        plugin.name, username, (password or ''))
                     # _authenticate is a wrapper for .auth() method of plugin.
                     # it checks if .auth() sends proper data.
                     # For RhodeCodeExternalAuthPlugin it also maps users to
                     # Database and maps the attributes returned from .auth()
                     # to RhodeCode database. If this function returns data
                     # then auth is correct.
                     start = time.time()
                     log.debug('Running plugin `%s` _authenticate method', plugin.get_id())
                     def auth_func():
                         """
                         This function is used internally in Cache of Beaker to calculate
                         Results
                         """
+                        log.debug('auth: calculating password access now...')
                         return plugin._authenticate(
                             user, username, password, plugin_settings,
                             environ=environ or {})
                     if plugin_cache_active:
+                        log.debug('Trying to fetch cached auth by %s', _password_hash[:6])
                         plugin_user = cache_manager.get(
                             _password_hash, createfunc=auth_func)
                     else:
                         plugin_user = auth_func()
                     auth_time = time.time() - start
                     log.debug('Authentication for plugin `%s` completed in %.3fs, '
                               'expiration time of fetched cache %.1fs.',
-                              plugin.get_id(), auth_time, _cache_ttl)
+                              plugin.get_id(), auth_time, cache_ttl)
                     log.debug('PLUGIN USER DATA: %s', plugin_user)
                     if plugin_user:
                         log.debug('Plugin returned proper authentication data')
                         return plugin_user
                     # we failed to Auth because .auth() method didn't return proper user
                     log.debug("User `%s` failed to authenticate against %s",
                               display_user, plugin.get_id())
+                # case when we failed to authenticate against all defined plugins
                 return None
             def chop_at(s, sub, inclusive=False):
                 """Truncate string ``s`` at the first occurrence of ``sub``.
                 If ``inclusive`` is true, truncate just after ``sub`` rather than at it.
                 >>> chop_at("plutocratic brats", "rat")
                 'plutoc'
                 >>> chop_at("plutocratic brats", "rat", True)
                 'plutocrat'
                 """
                 pos = s.find(sub)
                 if pos == -1:
                     return s
                 if inclusive:
                     return s[:pos+len(sub)]
                 return s[:pos]

rhodecode/authentication/schema.py

0 +4 -5

             # -*- coding: utf-8 -*-
             # Copyright (C) 2012-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import colander
             from rhodecode.translation import _
             class AuthnPluginSettingsSchemaBase(colander.MappingSchema):
                 """
                 This base schema is intended for use in authentication plugins.
                 It adds a few default settings (e.g., "enabled"), so that plugin
                 authors don't have to maintain a bunch of boilerplate.
                 """
                 enabled = colander.SchemaNode(
                     colander.Bool(),
                     default=False,
                     description=_('Enable or disable this authentication plugin.'),
                     missing=False,
                     title=_('Enabled'),
                     widget='bool',
                 )
                 cache_ttl = colander.SchemaNode(
                     colander.Int(),
                     default=0,
-                    description=_('Amount of seconds to cache the authentication response'
+                    description=_('Amount of seconds to cache the authentication and '
-                                  'call for this plugin. \n'
+                                  'permissions check response call for this plugin. \n'
-                                  'Useful for long calls like LDAP to improve the '
+                                  'Useful for expensive calls like LDAP to improve the '
-                                  'performance of the authentication system '
+                                  'performance of the system (0 means disabled).'),
-                                  '(0 means disabled).'),
                     missing=0,
                     title=_('Auth Cache TTL'),
                     validator=colander.Range(min=0, max=None),
                     widget='int',
                 )

rhodecode/lib/base.py

0 +4 -3

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             The base Controller API
             Provides the BaseController class for subclassing. And usage in different
             controllers
             """
             import logging
             import socket
             import markupsafe
             import ipaddress
             import pyramid.threadlocal
             from paste.auth.basic import AuthBasicAuthenticator
             from paste.httpexceptions import HTTPUnauthorized, HTTPForbidden, get_exception
             from paste.httpheaders import WWW_AUTHENTICATE, AUTHORIZATION
             import rhodecode
             from rhodecode.authentication.base import VCS_TYPE
             from rhodecode.lib import auth, utils2
             from rhodecode.lib import helpers as h
             from rhodecode.lib.auth import AuthUser, CookieStoreWrapper
             from rhodecode.lib.exceptions import UserCreationError
             from rhodecode.lib.utils import (
                 get_repo_slug, set_rhodecode_config, password_changed,
                 get_enabled_hook_classes)
             from rhodecode.lib.utils2 import (
                 str2bool, safe_unicode, AttributeDict, safe_int, md5, aslist, safe_str)
             from rhodecode.model import meta
             from rhodecode.model.db import Repository, User, ChangesetComment
             from rhodecode.model.notification import NotificationModel
             from rhodecode.model.scm import ScmModel
             from rhodecode.model.settings import VcsSettingsModel, SettingsModel
             # NOTE(marcink): remove after base controller is no longer required
             from pylons.controllers import WSGIController
             from pylons.i18n import translation
             log = logging.getLogger(__name__)
             # hack to make the migration to pyramid easier
             def render(template_name, extra_vars=None, cache_key=None,
                        cache_type=None, cache_expire=None):
                 """Render a template with Mako
                 Accepts the cache options ``cache_key``, ``cache_type``, and
                 ``cache_expire``.
                 """
                 from pylons.templating import literal
                 from pylons.templating import cached_template, pylons_globals
                 # Create a render callable for the cache function
                 def render_template():
                     # Pull in extra vars if needed
                     globs = extra_vars or {}
                     # Second, get the globals
                     globs.update(pylons_globals())
                     globs['_ungettext'] = globs['ungettext']
                     # Grab a template reference
                     template = globs['app_globals'].mako_lookup.get_template(template_name)
                     return literal(template.render_unicode(**globs))
                 return cached_template(template_name, render_template, cache_key=cache_key,
                                        cache_type=cache_type, cache_expire=cache_expire)
             def _filter_proxy(ip):
                 """
                 Passed in IP addresses in HEADERS can be in a special format of multiple
                 ips. Those comma separated IPs are passed from various proxies in the
                 chain of request processing. The left-most being the original client.
                 We only care about the first IP which came from the org. client.
                 :param ip: ip string from headers
                 """
                 if ',' in ip:
                     _ips = ip.split(',')
                     _first_ip = _ips[0].strip()
                     log.debug('Got multiple IPs %s, using %s', ','.join(_ips), _first_ip)
                     return _first_ip
                 return ip
             def _filter_port(ip):
                 """
                 Removes a port from ip, there are 4 main cases to handle here.
                 - ipv4 eg. 127.0.0.1
                 - ipv6 eg. ::1
                 - ipv4+port eg. 127.0.0.1:8080
                 - ipv6+port eg. [::1]:8080
                 :param ip:
                 """
                 def is_ipv6(ip_addr):
                     if hasattr(socket, 'inet_pton'):
                         try:
                             socket.inet_pton(socket.AF_INET6, ip_addr)
                         except socket.error:
                             return False
                     else:
                         # fallback to ipaddress
                         try:
                             ipaddress.IPv6Address(safe_unicode(ip_addr))
                         except Exception:
                             return False
                     return True
                 if ':' not in ip:  # must be ipv4 pure ip
                     return ip
                 if '[' in ip and ']' in ip:  # ipv6 with port
                     return ip.split(']')[0][1:].lower()
                 # must be ipv6 or ipv4 with port
                 if is_ipv6(ip):
                     return ip
                 else:
                     ip, _port = ip.split(':')[:2]  # means ipv4+port
                     return ip
             def get_ip_addr(environ):
                 proxy_key = 'HTTP_X_REAL_IP'
                 proxy_key2 = 'HTTP_X_FORWARDED_FOR'
                 def_key = 'REMOTE_ADDR'
                 _filters = lambda x: _filter_port(_filter_proxy(x))
                 ip = environ.get(proxy_key)
                 if ip:
                     return _filters(ip)
                 ip = environ.get(proxy_key2)
                 if ip:
                     return _filters(ip)
                 ip = environ.get(def_key, '0.0.0.0')
                 return _filters(ip)
             def get_server_ip_addr(environ, log_errors=True):
                 hostname = environ.get('SERVER_NAME')
                 try:
                     return socket.gethostbyname(hostname)
                 except Exception as e:
                     if log_errors:
                         # in some cases this lookup is not possible, and we don't want to
                         # make it an exception in logs
                         log.exception('Could not retrieve server ip address: %s', e)
                     return hostname
             def get_server_port(environ):
                 return environ.get('SERVER_PORT')
             def get_access_path(environ):
                 path = environ.get('PATH_INFO')
                 org_req = environ.get('pylons.original_request')
                 if org_req:
                     path = org_req.environ.get('PATH_INFO')
                 return path
             def get_user_agent(environ):
                 return environ.get('HTTP_USER_AGENT')
             def vcs_operation_context(
                     environ, repo_name, username, action, scm, check_locking=True,
                     is_shadow_repo=False):
                 """
                 Generate the context for a vcs operation, e.g. push or pull.
                 This context is passed over the layers so that hooks triggered by the
                 vcs operation know details like the user, the user's IP address etc.
                 :param check_locking: Allows to switch of the computation of the locking
                     data. This serves mainly the need of the simplevcs middleware to be
                     able to disable this for certain operations.
                 """
                 # Tri-state value: False: unlock, None: nothing, True: lock
                 make_lock = None
                 locked_by = [None, None, None]
                 is_anonymous = username == User.DEFAULT_USER
                 if not is_anonymous and check_locking:
                     log.debug('Checking locking on repository "%s"', repo_name)
                     user = User.get_by_username(username)
                     repo = Repository.get_by_repo_name(repo_name)
                     make_lock, __, locked_by = repo.get_locking_state(
                         action, user.user_id)
                 settings_model = VcsSettingsModel(repo=repo_name)
                 ui_settings = settings_model.get_ui_settings()
                 extras = {
                     'ip': get_ip_addr(environ),
                     'username': username,
                     'action': action,
                     'repository': repo_name,
                     'scm': scm,
                     'config': rhodecode.CONFIG['__file__'],
                     'make_lock': make_lock,
                     'locked_by': locked_by,
                     'server_url': utils2.get_server_url(environ),
                     'user_agent': get_user_agent(environ),
                     'hooks': get_enabled_hook_classes(ui_settings),
                     'is_shadow_repo': is_shadow_repo,
                 }
                 return extras
             class BasicAuth(AuthBasicAuthenticator):
                 def __init__(self, realm, authfunc, registry, auth_http_code=None,
                              initial_call_detection=False, acl_repo_name=None):
                     self.realm = realm
                     self.initial_call = initial_call_detection
                     self.authfunc = authfunc
                     self.registry = registry
                     self.acl_repo_name = acl_repo_name
                     self._rc_auth_http_code = auth_http_code
                 def _get_response_from_code(self, http_code):
                     try:
                         return get_exception(safe_int(http_code))
                     except Exception:
                         log.exception('Failed to fetch response for code %s' % http_code)
                         return HTTPForbidden
                 def get_rc_realm(self):
                     return safe_str(self.registry.rhodecode_settings.get('rhodecode_realm'))
                 def build_authentication(self):
                     head = WWW_AUTHENTICATE.tuples('Basic realm="%s"' % self.realm)
                     if self._rc_auth_http_code and not self.initial_call:
                         # return alternative HTTP code if alternative http return code
                         # is specified in RhodeCode config, but ONLY if it's not the
                         # FIRST call
                         custom_response_klass = self._get_response_from_code(
                             self._rc_auth_http_code)
                         return custom_response_klass(headers=head)
                     return HTTPUnauthorized(headers=head)
                 def authenticate(self, environ):
                     authorization = AUTHORIZATION(environ)
                     if not authorization:
                         return self.build_authentication()
                     (authmeth, auth) = authorization.split(' ', 1)
                     if 'basic' != authmeth.lower():
                         return self.build_authentication()
                     auth = auth.strip().decode('base64')
                     _parts = auth.split(':', 1)
                     if len(_parts) == 2:
                         username, password = _parts
-                        if self.authfunc(
+                        auth_data = self.authfunc(
                                 username, password, environ, VCS_TYPE,
-                                registry=self.registry, acl_repo_name=self.acl_repo_name):
+                                registry=self.registry, acl_repo_name=self.acl_repo_name)
-                            return username
+                        if auth_data:
+                            return {'username': username, 'auth_data': auth_data}
                         if username and password:
                             # we mark that we actually executed authentication once, at
                             # that point we can use the alternative auth code
                             self.initial_call = False
                     return self.build_authentication()
                 __call__ = authenticate
             def calculate_version_hash(config):
                 return md5(
                     config.get('beaker.session.secret', '') +
                     rhodecode.__version__)[:8]
             def get_current_lang(request):
                 # NOTE(marcink): remove after pyramid move
                 try:
                     return translation.get_lang()[0]
                 except:
                     pass
                 return getattr(request, '_LOCALE_', request.locale_name)
             def attach_context_attributes(context, request, user_id):
                 """
                 Attach variables into template context called `c`, please note that
                 request could be pylons or pyramid request in here.
                 """
                 # NOTE(marcink): remove check after pyramid migration
                 if hasattr(request, 'registry'):
                     config = request.registry.settings
                 else:
                     from pylons import config
                 rc_config = SettingsModel().get_all_settings(cache=True)
                 context.rhodecode_version = rhodecode.__version__
                 context.rhodecode_edition = config.get('rhodecode.edition')
                 # unique secret + version does not leak the version but keep consistency
                 context.rhodecode_version_hash = calculate_version_hash(config)
                 # Default language set for the incoming request
                 context.language = get_current_lang(request)
                 # Visual options
                 context.visual = AttributeDict({})
                 # DB stored Visual Items
                 context.visual.show_public_icon = str2bool(
                     rc_config.get('rhodecode_show_public_icon'))
                 context.visual.show_private_icon = str2bool(
                     rc_config.get('rhodecode_show_private_icon'))
                 context.visual.stylify_metatags = str2bool(
                     rc_config.get('rhodecode_stylify_metatags'))
                 context.visual.dashboard_items = safe_int(
                     rc_config.get('rhodecode_dashboard_items', 100))
                 context.visual.admin_grid_items = safe_int(
                     rc_config.get('rhodecode_admin_grid_items', 100))
                 context.visual.repository_fields = str2bool(
                     rc_config.get('rhodecode_repository_fields'))
                 context.visual.show_version = str2bool(
                     rc_config.get('rhodecode_show_version'))
                 context.visual.use_gravatar = str2bool(
                     rc_config.get('rhodecode_use_gravatar'))
                 context.visual.gravatar_url = rc_config.get('rhodecode_gravatar_url')
                 context.visual.default_renderer = rc_config.get(
                     'rhodecode_markup_renderer', 'rst')
                 context.visual.comment_types = ChangesetComment.COMMENT_TYPES
                 context.visual.rhodecode_support_url = \
                     rc_config.get('rhodecode_support_url') or h.route_url('rhodecode_support')
                 context.visual.affected_files_cut_off = 60
                 context.pre_code = rc_config.get('rhodecode_pre_code')
                 context.post_code = rc_config.get('rhodecode_post_code')
                 context.rhodecode_name = rc_config.get('rhodecode_title')
                 context.default_encodings = aslist(config.get('default_encoding'), sep=',')
                 # if we have specified default_encoding in the request, it has more
                 # priority
                 if request.GET.get('default_encoding'):
                     context.default_encodings.insert(0, request.GET.get('default_encoding'))
                 context.clone_uri_tmpl = rc_config.get('rhodecode_clone_uri_tmpl')
                 # INI stored
                 context.labs_active = str2bool(
                     config.get('labs_settings_active', 'false'))
                 context.visual.allow_repo_location_change = str2bool(
                     config.get('allow_repo_location_change', True))
                 context.visual.allow_custom_hooks_settings = str2bool(
                     config.get('allow_custom_hooks_settings', True))
                 context.debug_style = str2bool(config.get('debug_style', False))
                 context.rhodecode_instanceid = config.get('instance_id')
                 context.visual.cut_off_limit_diff = safe_int(
                     config.get('cut_off_limit_diff'))
                 context.visual.cut_off_limit_file = safe_int(
                     config.get('cut_off_limit_file'))
                 # AppEnlight
                 context.appenlight_enabled = str2bool(config.get('appenlight', 'false'))
                 context.appenlight_api_public_key = config.get(
                     'appenlight.api_public_key', '')
                 context.appenlight_server_url = config.get('appenlight.server_url', '')
                 # JS template context
                 context.template_context = {
                     'repo_name': None,
                     'repo_type': None,
                     'repo_landing_commit': None,
                     'rhodecode_user': {
                         'username': None,
                         'email': None,
                         'notification_status': False
                     },
                     'visual': {
                         'default_renderer': None
                     },
                     'commit_data': {
                         'commit_id': None
                     },
                     'pull_request_data': {'pull_request_id': None},
                     'timeago': {
                         'refresh_time': 120 * 1000,
                         'cutoff_limit': 1000 * 60 * 60 * 24 * 7
                     },
                     'pyramid_dispatch': {
                     },
                     'extra': {'plugins': {}}
                 }
                 # END CONFIG VARS
                 # TODO: This dosn't work when called from pylons compatibility tween.
                 # Fix this and remove it from base controller.
                 # context.repo_name = get_repo_slug(request)  # can be empty
                 diffmode = 'sideside'
                 if request.GET.get('diffmode'):
                     if request.GET['diffmode'] == 'unified':
                         diffmode = 'unified'
                 elif request.session.get('diffmode'):
                     diffmode = request.session['diffmode']
                 context.diffmode = diffmode
                 if request.session.get('diffmode') != diffmode:
                     request.session['diffmode'] = diffmode
                 context.csrf_token = auth.get_csrf_token(session=request.session)
                 context.backends = rhodecode.BACKENDS.keys()
                 context.backends.sort()
                 context.unread_notifications = NotificationModel().get_unread_cnt_for_user(user_id)
                 # NOTE(marcink): when migrated to pyramid we don't need to set this anymore,
                 # given request will ALWAYS be pyramid one
                 pyramid_request = pyramid.threadlocal.get_current_request()
                 context.pyramid_request = pyramid_request
                 # web case
                 if hasattr(pyramid_request, 'user'):
                     context.auth_user = pyramid_request.user
                     context.rhodecode_user = pyramid_request.user
                 # api case
                 if hasattr(pyramid_request, 'rpc_user'):
                     context.auth_user = pyramid_request.rpc_user
                     context.rhodecode_user = pyramid_request.rpc_user
                 # attach the whole call context to the request
                 request.call_context = context
             def get_auth_user(request):
                 environ = request.environ
                 session = request.session
                 ip_addr = get_ip_addr(environ)
                 # make sure that we update permissions each time we call controller
                 _auth_token = (request.GET.get('auth_token', '') or
                                request.GET.get('api_key', ''))
                 if _auth_token:
                     # when using API_KEY we assume user exists, and
                     # doesn't need auth based on cookies.
                     auth_user = AuthUser(api_key=_auth_token, ip_addr=ip_addr)
                     authenticated = False
                 else:
                     cookie_store = CookieStoreWrapper(session.get('rhodecode_user'))
                     try:
                         auth_user = AuthUser(user_id=cookie_store.get('user_id', None),
                                              ip_addr=ip_addr)
                     except UserCreationError as e:
                         h.flash(e, 'error')
                         # container auth or other auth functions that create users
                         # on the fly can throw this exception signaling that there's
                         # issue with user creation, explanation should be provided
                         # in Exception itself. We then create a simple blank
                         # AuthUser
                         auth_user = AuthUser(ip_addr=ip_addr)
                     if password_changed(auth_user, session):
                         session.invalidate()
                         cookie_store = CookieStoreWrapper(session.get('rhodecode_user'))
                         auth_user = AuthUser(ip_addr=ip_addr)
                     authenticated = cookie_store.get('is_authenticated')
                 if not auth_user.is_authenticated and auth_user.is_user_object:
                     # user is not authenticated and not empty
                     auth_user.set_authenticated(authenticated)
                 return auth_user
             class BaseController(WSGIController):
                 def __before__(self):
                     """
                     __before__ is called before controller methods and after __call__
                     """
                     # on each call propagate settings calls into global settings.
                     from pylons import config
                     from pylons import tmpl_context as c, request, url
                     set_rhodecode_config(config)
                     attach_context_attributes(c, request, self._rhodecode_user.user_id)
                     # TODO: Remove this when fixed in attach_context_attributes()
                     c.repo_name = get_repo_slug(request)  # can be empty
                     self.cut_off_limit_diff = safe_int(config.get('cut_off_limit_diff'))
                     self.cut_off_limit_file = safe_int(config.get('cut_off_limit_file'))
                     self.sa = meta.Session
                     self.scm_model = ScmModel(self.sa)
                     # set user language
                     user_lang = getattr(c.pyramid_request, '_LOCALE_', None)
                     if user_lang:
                         translation.set_lang(user_lang)
                         log.debug('set language to %s for user %s',
                                   user_lang, self._rhodecode_user)
                 def _dispatch_redirect(self, with_url, environ, start_response):
                     from webob.exc import HTTPFound
                     resp = HTTPFound(with_url)
                     environ['SCRIPT_NAME'] = ''  # handle prefix middleware
                     environ['PATH_INFO'] = with_url
                     return resp(environ, start_response)
                 def __call__(self, environ, start_response):
                     """Invoke the Controller"""
                     # WSGIController.__call__ dispatches to the Controller method
                     # the request is routed to. This routing information is
                     # available in environ['pylons.routes_dict']
                     from rhodecode.lib import helpers as h
                     from pylons import tmpl_context as c, request, url
                     # Provide the Pylons context to Pyramid's debugtoolbar if it asks
                     if environ.get('debugtoolbar.wants_pylons_context', False):
                         environ['debugtoolbar.pylons_context'] = c._current_obj()
                     _route_name = '.'.join([environ['pylons.routes_dict']['controller'],
                                             environ['pylons.routes_dict']['action']])
                     self.rc_config = SettingsModel().get_all_settings(cache=True)
                     self.ip_addr = get_ip_addr(environ)
                     # The rhodecode auth user is looked up and passed through the
                     # environ by the pylons compatibility tween in pyramid.
                     # So we can just grab it from there.
                     auth_user = environ['rc_auth_user']
                     # set globals for auth user
                     request.user = auth_user
                     self._rhodecode_user = auth_user
                     log.info('IP: %s User: %s accessed %s [%s]' % (
                         self.ip_addr, auth_user, safe_unicode(get_access_path(environ)),
                         _route_name)
                     )
                     user_obj = auth_user.get_instance()
                     if user_obj and user_obj.user_data.get('force_password_change'):
                         h.flash('You are required to change your password', 'warning',
                                 ignore_duplicate=True)
                         return self._dispatch_redirect(
                             url('my_account_password'), environ, start_response)
                     return WSGIController.__call__(self, environ, start_response)
             def h_filter(s):
                 """
                 Custom filter for Mako templates. Mako by standard uses `markupsafe.escape`
                 we wrap this with additional functionality that converts None to empty
                 strings
                 """
                 if s is None:
                     return markupsafe.Markup()
                 return markupsafe.escape(s)
             def add_events_routes(config):
                 """
                 Adds routing that can be used in events. Because some events are triggered
                 outside of pyramid context, we need to bootstrap request with some
                 routing registered
                 """
                 config.add_route(name='home', pattern='/')
                 config.add_route(name='repo_summary', pattern='/{repo_name}')
                 config.add_route(name='repo_summary_explicit', pattern='/{repo_name}/summary')
                 config.add_route(name='repo_group_home', pattern='/{repo_group_name}')
                 config.add_route(name='pullrequest_show',
                                  pattern='/{repo_name}/pull-request/{pull_request_id}')
                 config.add_route(name='pull_requests_global',
                                  pattern='/pull-request/{pull_request_id}')
                 config.add_route(name='repo_commit',
                                  pattern='/{repo_name}/changeset/{commit_id}')
                 config.add_route(name='repo_files',
                                  pattern='/{repo_name}/files/{commit_id}/{f_path}')
             def bootstrap_request(**kwargs):
                 import pyramid.testing
                 class TestRequest(pyramid.testing.DummyRequest):
                     application_url = kwargs.pop('application_url', 'http://example.com')
                     host = kwargs.pop('host', 'example.com:80')
                     domain = kwargs.pop('domain', 'example.com')
                 class TestDummySession(pyramid.testing.DummySession):
                     def save(*arg, **kw):
                         pass
                 request = TestRequest(**kwargs)
                 request.session = TestDummySession()
                 config = pyramid.testing.setUp(request=request)
                 add_events_routes(config)
                 return request

rhodecode/lib/middleware/simplevcs.py

0 +91 -32

             # -*- coding: utf-8 -*-
             # Copyright (C) 2014-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             SimpleVCS middleware for handling protocol request (push/clone etc.)
             It's implemented with basic auth function
             """
             import os
+            import re
             import logging
             import importlib
-            import re
             from functools import wraps
+            import time
             from paste.httpheaders import REMOTE_USER, AUTH_TYPE
             from webob.exc import (
                 HTTPNotFound, HTTPForbidden, HTTPNotAcceptable, HTTPInternalServerError)
             import rhodecode
-            from rhodecode.authentication.base import authenticate, VCS_TYPE
+            from rhodecode.authentication.base import (
+                authenticate, get_perms_cache_manager, VCS_TYPE)
+            from rhodecode.lib import caches
             from rhodecode.lib.auth import AuthUser, HasPermissionAnyMiddleware
             from rhodecode.lib.base import (
                 BasicAuth, get_ip_addr, get_user_agent, vcs_operation_context)
             from rhodecode.lib.exceptions import (
                 HTTPLockedRC, HTTPRequirementError, UserCreationError,
                 NotAllowedToCreateUserError)
             from rhodecode.lib.hooks_daemon import prepare_callback_daemon
             from rhodecode.lib.middleware import appenlight
             from rhodecode.lib.middleware.utils import scm_app_http
-            from rhodecode.lib.utils import (
+            from rhodecode.lib.utils import is_valid_repo, SLUG_RE
-                is_valid_repo, get_rhodecode_base_path, SLUG_RE)
             from rhodecode.lib.utils2 import safe_str, fix_PATH, str2bool, safe_unicode
             from rhodecode.lib.vcs.conf import settings as vcs_settings
             from rhodecode.lib.vcs.backends import base
             from rhodecode.model import meta
             from rhodecode.model.db import User, Repository, PullRequest
             from rhodecode.model.scm import ScmModel
             from rhodecode.model.pull_request import PullRequestModel
             from rhodecode.model.settings import SettingsModel
             log = logging.getLogger(__name__)
             def initialize_generator(factory):
                 """
                 Initializes the returned generator by draining its first element.
                 This can be used to give a generator an initializer, which is the code
                 up to the first yield statement. This decorator enforces that the first
                 produced element has the value ``"__init__"`` to make its special
                 purpose very explicit in the using code.
                 """
                 @wraps(factory)
                 def wrapper(*args, **kwargs):
                     gen = factory(*args, **kwargs)
                     try:
                         init = gen.next()
                     except StopIteration:
                         raise ValueError('Generator must yield at least one element.')
                     if init != "__init__":
                         raise ValueError('First yielded element must be "__init__".')
                     return gen
                 return wrapper
             class SimpleVCS(object):
                 """Common functionality for SCM HTTP handlers."""
                 SCM = 'unknown'
                 acl_repo_name = None
                 url_repo_name = None
                 vcs_repo_name = None
                 # We have to handle requests to shadow repositories different than requests
                 # to normal repositories. Therefore we have to distinguish them. To do this
                 # we use this regex which will match only on URLs pointing to shadow
                 # repositories.
                 shadow_repo_re = re.compile(
                     '(?P<groups>(?:{slug_pat}/)*)'  # repo groups
                     '(?P<target>{slug_pat})/'       # target repo
                     'pull-request/(?P<pr_id>\d+)/'  # pull request
                     'repository$'                   # shadow repo
                     .format(slug_pat=SLUG_RE.pattern))
                 def __init__(self, application, config, registry):
                     self.registry = registry
                     self.application = application
                     self.config = config
                     # re-populated by specialized middleware
                     self.repo_vcs_config = base.Config()
                     self.rhodecode_settings = SettingsModel().get_all_settings(cache=True)
                     self.basepath = rhodecode.CONFIG['base_path']
                     registry.rhodecode_settings = self.rhodecode_settings
                     # authenticate this VCS request using authfunc
                     auth_ret_code_detection = \
                         str2bool(self.config.get('auth_ret_code_detection', False))
                     self.authenticate = BasicAuth(
                         '', authenticate, registry, config.get('auth_ret_code'),
                         auth_ret_code_detection)
                     self.ip_addr = '0.0.0.0'
                 def set_repo_names(self, environ):
                     """
                     This will populate the attributes acl_repo_name, url_repo_name,
                     vcs_repo_name and is_shadow_repo. In case of requests to normal (non
                     shadow) repositories all names are equal. In case of requests to a
                     shadow repository the acl-name points to the target repo of the pull
                     request and the vcs-name points to the shadow repo file system path.
                     The url-name is always the URL used by the vcs client program.
                     Example in case of a shadow repo:
                         acl_repo_name = RepoGroup/MyRepo
                         url_repo_name = RepoGroup/MyRepo/pull-request/3/repository
                         vcs_repo_name = /repo/base/path/RepoGroup/.__shadow_MyRepo_pr-3'
                     """
                     # First we set the repo name from URL for all attributes. This is the
                     # default if handling normal (non shadow) repo requests.
                     self.url_repo_name = self._get_repository_name(environ)
                     self.acl_repo_name = self.vcs_repo_name = self.url_repo_name
                     self.is_shadow_repo = False
                     # Check if this is a request to a shadow repository.
                     match = self.shadow_repo_re.match(self.url_repo_name)
                     if match:
                         match_dict = match.groupdict()
                         # Build acl repo name from regex match.
                         acl_repo_name = safe_unicode('{groups}{target}'.format(
                             groups=match_dict['groups'] or '',
                             target=match_dict['target']))
                         # Retrieve pull request instance by ID from regex match.
                         pull_request = PullRequest.get(match_dict['pr_id'])
                         # Only proceed if we got a pull request and if acl repo name from
                         # URL equals the target repo name of the pull request.
                         if pull_request and (acl_repo_name ==
                                              pull_request.target_repo.repo_name):
                             # Get file system path to shadow repository.
                             workspace_id = PullRequestModel()._workspace_id(pull_request)
                             target_vcs = pull_request.target_repo.scm_instance()
                             vcs_repo_name = target_vcs._get_shadow_repository_path(
                                 workspace_id)
                             # Store names for later usage.
                             self.vcs_repo_name = vcs_repo_name
                             self.acl_repo_name = acl_repo_name
                             self.is_shadow_repo = True
                     log.debug('Setting all VCS repository names: %s', {
                         'acl_repo_name': self.acl_repo_name,
                         'url_repo_name': self.url_repo_name,
                         'vcs_repo_name': self.vcs_repo_name,
                     })
                 @property
                 def scm_app(self):
                     custom_implementation = self.config['vcs.scm_app_implementation']
                     if custom_implementation == 'http':
                         log.info('Using HTTP implementation of scm app.')
                         scm_app_impl = scm_app_http
                     else:
                         log.info('Using custom implementation of scm_app: "{}"'.format(
                             custom_implementation))
                         scm_app_impl = importlib.import_module(custom_implementation)
                     return scm_app_impl
                 def _get_by_id(self, repo_name):
                     """
                     Gets a special pattern _<ID> from clone url and tries to replace it
                     with a repository_name for support of _<ID> non changeable urls
                     """
                     data = repo_name.split('/')
                     if len(data) >= 2:
                         from rhodecode.model.repo import RepoModel
                         by_id_match = RepoModel().get_repo_by_id(repo_name)
                         if by_id_match:
                             data[1] = by_id_match.repo_name
                     return safe_str('/'.join(data))
                 def _invalidate_cache(self, repo_name):
                     """
                     Set's cache for this repository for invalidation on next access
                     :param repo_name: full repo name, also a cache key
                     """
                     ScmModel().mark_for_invalidation(repo_name)
                 def is_valid_and_existing_repo(self, repo_name, base_path, scm_type):
                     db_repo = Repository.get_by_repo_name(repo_name)
                     if not db_repo:
                         log.debug('Repository `%s` not found inside the database.',
                                   repo_name)
                         return False
                     if db_repo.repo_type != scm_type:
                         log.warning(
                             'Repository `%s` have incorrect scm_type, expected %s got %s',
                             repo_name, db_repo.repo_type, scm_type)
                         return False
                     return is_valid_repo(repo_name, base_path, explicit_scm=scm_type)
                 def valid_and_active_user(self, user):
                     """
                     Checks if that user is not empty, and if it's actually object it checks
                     if he's active.
                     :param user: user object or None
                     :return: boolean
                     """
                     if user is None:
                         return False
                     elif user.active:
                         return True
                     return False
                 @property
                 def is_shadow_repo_dir(self):
                     return os.path.isdir(self.vcs_repo_name)
-                def _check_permission(self, action, user, repo_name, ip_addr=None):
+                def _check_permission(self, action, user, repo_name, ip_addr=None,
+                                      plugin_id='', plugin_cache_active=False, cache_ttl=0):
                     """
                     Checks permissions using action (push/pull) user and repository
-                    name
+                    name. If plugin_cache and ttl is set it will use the plugin which
+                    authenticated the user to store the cached permissions result for N
+                    amount of seconds as in cache_ttl
                     :param action: push or pull action
                     :param user: user instance
                     :param repo_name: repository name
                     """
-                    # check IP
-                    inherit = user.inherit_default_permissions
+                    # get instance of cache manager configured for a namespace
-                    ip_allowed = AuthUser.check_ip_allowed(user.user_id, ip_addr,
+                    cache_manager = get_perms_cache_manager(custom_ttl=cache_ttl)
-                                                           inherit_from_default=inherit)
+                    log.debug('AUTH_CACHE_TTL for permissions `%s` active: %s (TTL: %s)',
-                    if ip_allowed:
+                              plugin_id, plugin_cache_active, cache_ttl)
-                        log.info('Access for IP:%s allowed', ip_addr)
-                    else:
+                    # for environ based password can be empty, but then the validation is
-                        return False
+                    # on the server that fills in the env data needed for authentication
+                    _perm_calc_hash = caches.compute_key_from_params(
+                        plugin_id, action, user.user_id, repo_name, ip_addr)
-                    if action == 'push':
+                    # _authenticate is a wrapper for .auth() method of plugin.
-                        if not HasPermissionAnyMiddleware('repository.write',
+                    # it checks if .auth() sends proper data.
-                                                          'repository.admin')(user,
+                    # For RhodeCodeExternalAuthPlugin it also maps users to
-                                                                              repo_name):
+                    # Database and maps the attributes returned from .auth()
+                    # to RhodeCode database. If this function returns data
+                    # then auth is correct.
+                    start = time.time()
+                    log.debug('Running plugin `%s` permissions check', plugin_id)
+                    def perm_func():
+                        """
+                        This function is used internally in Cache of Beaker to calculate
+                        Results
+                        """
+                        log.debug('auth: calculating permission access now...')
+                        # check IP
+                        inherit = user.inherit_default_permissions
+                        ip_allowed = AuthUser.check_ip_allowed(
+                            user.user_id, ip_addr, inherit_from_default=inherit)
+                        if ip_allowed:
+                            log.info('Access for IP:%s allowed', ip_addr)
+                        else:
                             return False
+                        if action == 'push':
+                            perms = ('repository.write', 'repository.admin')
+                            if not HasPermissionAnyMiddleware(*perms)(user, repo_name):
+                                return False
+                        else:
+                            # any other action need at least read permission
+                            perms = (
+                                'repository.read', 'repository.write', 'repository.admin')
+                            if not HasPermissionAnyMiddleware(*perms)(user, repo_name):
+                                return False
+                        return True
+                    if plugin_cache_active:
+                        log.debug('Trying to fetch cached perms by %s', _perm_calc_hash[:6])
+                        perm_result = cache_manager.get(
+                            _perm_calc_hash, createfunc=perm_func)
                     else:
-                        # any other action need at least read permission
+                        perm_result = perm_func()
-                        if not HasPermissionAnyMiddleware('repository.read',
-                                                          'repository.write',
-                                                          'repository.admin')(user,
-                                                                              repo_name):
-                            return False
-                    return True
+                    auth_time = time.time() - start
+                    log.debug('Permissions for plugin `%s` completed in %.3fs, '
+                              'expiration time of fetched cache %.1fs.',
+                              plugin_id, auth_time, cache_ttl)
+                    return perm_result
                 def _check_ssl(self, environ, start_response):
                     """
                     Checks the SSL check flag and returns False if SSL is not present
                     and required True otherwise
                     """
                     org_proto = environ['wsgi._org_proto']
                     # check if we have SSL required  ! if not it's a bad request !
                     require_ssl = str2bool(self.repo_vcs_config.get('web', 'push_ssl'))
                     if require_ssl and org_proto == 'http':
                         log.debug('proto is %s and SSL is required BAD REQUEST !',
                                   org_proto)
                         return False
                     return True
                 def __call__(self, environ, start_response):
                     try:
                         return self._handle_request(environ, start_response)
                     except Exception:
                         log.exception("Exception while handling request")
                         appenlight.track_exception(environ)
                         return HTTPInternalServerError()(environ, start_response)
                     finally:
                         meta.Session.remove()
                 def _handle_request(self, environ, start_response):
                     if not self._check_ssl(environ, start_response):
                         reason = ('SSL required, while RhodeCode was unable '
                                   'to detect this as SSL request')
                         log.debug('User not allowed to proceed, %s', reason)
                         return HTTPNotAcceptable(reason)(environ, start_response)
                     if not self.url_repo_name:
                         log.warning('Repository name is empty: %s', self.url_repo_name)
                         # failed to get repo name, we fail now
                         return HTTPNotFound()(environ, start_response)
                     log.debug('Extracted repo name is %s', self.url_repo_name)
                     ip_addr = get_ip_addr(environ)
                     user_agent = get_user_agent(environ)
                     username = None
                     # skip passing error to error controller
                     environ['pylons.status_code_redirect'] = True
                     # ======================================================================
                     # GET ACTION PULL or PUSH
                     # ======================================================================
                     action = self._get_action(environ)
                     # ======================================================================
                     # Check if this is a request to a shadow repository of a pull request.
                     # In this case only pull action is allowed.
                     # ======================================================================
                     if self.is_shadow_repo and action != 'pull':
                         reason = 'Only pull action is allowed for shadow repositories.'
                         log.debug('User not allowed to proceed, %s', reason)
                         return HTTPNotAcceptable(reason)(environ, start_response)
                     # Check if the shadow repo actually exists, in case someone refers
                     # to it, and it has been deleted because of successful merge.
                     if self.is_shadow_repo and not self.is_shadow_repo_dir:
                         return HTTPNotFound()(environ, start_response)
                     # ======================================================================
                     # CHECK ANONYMOUS PERMISSION
                     # ======================================================================
                     if action in ['pull', 'push']:
                         anonymous_user = User.get_default_user()
                         username = anonymous_user.username
                         if anonymous_user.active:
                             # ONLY check permissions if the user is activated
                             anonymous_perm = self._check_permission(
                                 action, anonymous_user, self.acl_repo_name, ip_addr)
                         else:
                             anonymous_perm = False
                         if not anonymous_user.active or not anonymous_perm:
                             if not anonymous_user.active:
                                 log.debug('Anonymous access is disabled, running '
                                           'authentication')
                             if not anonymous_perm:
                                 log.debug('Not enough credentials to access this '
                                           'repository as anonymous user')
                             username = None
                             # ==============================================================
                             # DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE
                             # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS
                             # ==============================================================
                             # try to auth based on environ, container auth methods
                             log.debug('Running PRE-AUTH for container based authentication')
                             pre_auth = authenticate(
                                 '', '', environ, VCS_TYPE, registry=self.registry,
                                 acl_repo_name=self.acl_repo_name)
                             if pre_auth and pre_auth.get('username'):
                                 username = pre_auth['username']
                             log.debug('PRE-AUTH got %s as username', username)
+                            if pre_auth:
+                                log.debug('PRE-AUTH successful from %s',
+                                          pre_auth.get('auth_data', {}).get('_plugin'))
                             # If not authenticated by the container, running basic auth
                             # before inject the calling repo_name for special scope checks
                             self.authenticate.acl_repo_name = self.acl_repo_name
+                            plugin_cache_active, cache_ttl = False, 0
+                            plugin = None
                             if not username:
                                 self.authenticate.realm = self.authenticate.get_rc_realm()
                                 try:
-                                    result = self.authenticate(environ)
+                                    auth_result = self.authenticate(environ)
                                 except (UserCreationError, NotAllowedToCreateUserError) as e:
                                     log.error(e)
                                     reason = safe_str(e)
                                     return HTTPNotAcceptable(reason)(environ, start_response)
-                                if isinstance(result, str):
+                                if isinstance(auth_result, dict):
                                     AUTH_TYPE.update(environ, 'basic')
-                                    REMOTE_USER.update(environ, result)
+                                    REMOTE_USER.update(environ, auth_result['username'])
-                                    username = result
+                                    username = auth_result['username']
+                                    plugin = auth_result.get('auth_data', {}).get('_plugin')
+                                    log.info(
+                                        'MAIN-AUTH successful for user `%s` from %s plugin',
+                                        username, plugin)
+                                    plugin_cache_active, cache_ttl = auth_result.get(
+                                        'auth_data', {}).get('_ttl_cache') or (False, 0)
                                 else:
-                                    return result.wsgi_application(environ, start_response)
+                                    return auth_result.wsgi_application(
+                                        environ, start_response)
                             # ==============================================================
                             # CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME
                             # ==============================================================
                             user = User.get_by_username(username)
                             if not self.valid_and_active_user(user):
                                 return HTTPForbidden()(environ, start_response)
                             username = user.username
                             user.update_lastactivity()
                             meta.Session().commit()
                             # check user attributes for password change flag
                             user_obj = user
                             if user_obj and user_obj.username != User.DEFAULT_USER and \
                                     user_obj.user_data.get('force_password_change'):
                                 reason = 'password change required'
                                 log.debug('User not allowed to authenticate, %s', reason)
                                 return HTTPNotAcceptable(reason)(environ, start_response)
                             # check permissions for this repository
                             perm = self._check_permission(
-                                action, user, self.acl_repo_name, ip_addr)
+                                action, user, self.acl_repo_name, ip_addr,
+                                plugin, plugin_cache_active, cache_ttl)
                             if not perm:
                                 return HTTPForbidden()(environ, start_response)
                     # extras are injected into UI object and later available
-                    # in hooks executed by rhodecode
+                    # in hooks executed by RhodeCode
                     check_locking = _should_check_locking(environ.get('QUERY_STRING'))
                     extras = vcs_operation_context(
                         environ, repo_name=self.acl_repo_name, username=username,
                         action=action, scm=self.SCM, check_locking=check_locking,
                         is_shadow_repo=self.is_shadow_repo
                     )
                     # ======================================================================
                     # REQUEST HANDLING
                     # ======================================================================
                     repo_path = os.path.join(
                         safe_str(self.basepath), safe_str(self.vcs_repo_name))
                     log.debug('Repository path is %s', repo_path)
                     fix_PATH()
                     log.info(
                         '%s action on %s repo "%s" by "%s" from %s %s',
                         action, self.SCM, safe_str(self.url_repo_name),
                         safe_str(username), ip_addr, user_agent)
                     return self._generate_vcs_response(
                         environ, start_response, repo_path, extras, action)
                 @initialize_generator
                 def _generate_vcs_response(
                         self, environ, start_response, repo_path, extras, action):
                     """
                     Returns a generator for the response content.
                     This method is implemented as a generator, so that it can trigger
                     the cache validation after all content sent back to the client. It
                     also handles the locking exceptions which will be triggered when
                     the first chunk is produced by the underlying WSGI application.
                     """
                     callback_daemon, extras = self._prepare_callback_daemon(extras)
                     config = self._create_config(extras, self.acl_repo_name)
                     log.debug('HOOKS extras is %s', extras)
                     app = self._create_wsgi_app(repo_path, self.url_repo_name, config)
                     try:
                         with callback_daemon:
                             try:
                                 response = app(environ, start_response)
                             finally:
                                 # This statement works together with the decorator
                                 # "initialize_generator" above. The decorator ensures that
                                 # we hit the first yield statement before the generator is
                                 # returned back to the WSGI server. This is needed to
                                 # ensure that the call to "app" above triggers the
                                 # needed callback to "start_response" before the
                                 # generator is actually used.
                                 yield "__init__"
                             for chunk in response:
                                 yield chunk
                     except Exception as exc:
                         # TODO: martinb: Exceptions are only raised in case of the Pyro4
                         # backend. Refactor this except block after dropping Pyro4 support.
                         # TODO: johbo: Improve "translating" back the exception.
                         if getattr(exc, '_vcs_kind', None) == 'repo_locked':
                             exc = HTTPLockedRC(*exc.args)
                             _code = rhodecode.CONFIG.get('lock_ret_code')
                             log.debug('Repository LOCKED ret code %s!', (_code,))
                         elif getattr(exc, '_vcs_kind', None) == 'requirement':
                             log.debug(
                                 'Repository requires features unknown to this Mercurial')
                             exc = HTTPRequirementError(*exc.args)
                         else:
                             raise
                         for chunk in exc(environ, start_response):
                             yield chunk
                     finally:
                         # invalidate cache on push
                         try:
                             if action == 'push':
                                 self._invalidate_cache(self.url_repo_name)
                         finally:
                             meta.Session.remove()
                 def _get_repository_name(self, environ):
                     """Get repository name out of the environmnent
                     :param environ: WSGI environment
                     """
                     raise NotImplementedError()
                 def _get_action(self, environ):
                     """Map request commands into a pull or push command.
                     :param environ: WSGI environment
                     """
                     raise NotImplementedError()
                 def _create_wsgi_app(self, repo_path, repo_name, config):
                     """Return the WSGI app that will finally handle the request."""
                     raise NotImplementedError()
                 def _create_config(self, extras, repo_name):
                     """Create a safe config representation."""
                     raise NotImplementedError()
                 def _prepare_callback_daemon(self, extras):
                     return prepare_callback_daemon(
                         extras, protocol=vcs_settings.HOOKS_PROTOCOL,
                         use_direct_calls=vcs_settings.HOOKS_DIRECT_CALLS)
             def _should_check_locking(query_string):
                 # this is kind of hacky, but due to how mercurial handles client-server
                 # server see all operation on commit; bookmarks, phases and
                 # obsolescence marker in different transaction, we don't want to check
                 # locking on those
                 return query_string not in ['cmd=listkeys']

rhodecode/model/db.py

0 0 0

	1	NO CONTENT: modified file			NO CONTENT: modified file
The requested commit or file is too big and content was truncated. Show full diff

rhodecode/tests/lib/auth_modules/test_auth_modules.py

0 +9 -4

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import mock
             import pytest
             from rhodecode.lib.auth import _RhodeCodeCryptoBCrypt
             from rhodecode.authentication.base import RhodeCodeAuthPluginBase
             from rhodecode.authentication.plugins.auth_ldap import RhodeCodeAuthPlugin
             from rhodecode.model import db
+            class TestAuthPlugin(RhodeCodeAuthPluginBase):
+                def name(self):
+                    return 'stub_auth'
             def test_authenticate_returns_from_auth(stub_auth_data):
-                plugin = RhodeCodeAuthPluginBase('stub_id')
+                plugin = TestAuthPlugin('stub_id')
                 with mock.patch.object(plugin, 'auth') as auth_mock:
                     auth_mock.return_value = stub_auth_data
                     result = plugin._authenticate(mock.Mock(), 'test', 'password', {})
                 assert stub_auth_data == result
             def test_authenticate_returns_empty_auth_data():
                 auth_data = {}
-                plugin = RhodeCodeAuthPluginBase('stub_id')
+                plugin = TestAuthPlugin('stub_id')
                 with mock.patch.object(plugin, 'auth') as auth_mock:
                     auth_mock.return_value = auth_data
                     result = plugin._authenticate(mock.Mock(), 'test', 'password', {})
                 assert auth_data == result
             def test_authenticate_skips_hash_migration_if_mismatch(stub_auth_data):
                 stub_auth_data['_hash_migrate'] = 'new-hash'
-                plugin = RhodeCodeAuthPluginBase('stub_id')
+                plugin = TestAuthPlugin('stub_id')
                 with mock.patch.object(plugin, 'auth') as auth_mock:
                     auth_mock.return_value = stub_auth_data
                     result = plugin._authenticate(mock.Mock(), 'test', 'password', {})
                 user = db.User.get_by_username(stub_auth_data['username'])
                 assert user.password != 'new-hash'
                 assert result == stub_auth_data
             def test_authenticate_migrates_to_new_hash(stub_auth_data):
                 new_password = b'new-password'
                 new_hash = _RhodeCodeCryptoBCrypt().hash_create(new_password)
                 stub_auth_data['_hash_migrate'] = new_hash
-                plugin = RhodeCodeAuthPluginBase('stub_id')
+                plugin = TestAuthPlugin('stub_id')
                 with mock.patch.object(plugin, 'auth') as auth_mock:
                     auth_mock.return_value = stub_auth_data
                     result = plugin._authenticate(
                         mock.Mock(), stub_auth_data['username'], new_password, {})
                 user = db.User.get_by_username(stub_auth_data['username'])
                 assert user.password == new_hash
                 assert result == stub_auth_data
             @pytest.fixture
             def stub_auth_data(user_util):
                 user = user_util.create_user()
                 data = {
                     'username': user.username,
                     'password': 'password',
                     'email': 'test@example.org',
                     'firstname': 'John',
                     'lastname': 'Smith',
                     'groups': [],
                     'active': True,
                     'admin': False,
                     'extern_name': 'test',
                     'extern_type': 'ldap',
                     'active_from_extern': True
                 }
                 return data
             class TestRhodeCodeAuthPlugin(object):
                 def setup_method(self, method):
                     self.finalizers = []
                     self.user = mock.Mock()
                     self.user.username = 'test'
                     self.user.password = 'old-password'
                     self.fake_auth = {
                         'username': 'test',
                         'password': 'test',
                         'email': 'test@example.org',
                         'firstname': 'John',
                         'lastname': 'Smith',
                         'groups': [],
                         'active': True,
                         'admin': False,
                         'extern_name': 'test',
                         'extern_type': 'ldap',
                         'active_from_extern': True
                     }
                 def teardown_method(self, method):
                     if self.finalizers:
                         for finalizer in self.finalizers:
                             finalizer()
                         self.finalizers = []
                 def test_fake_password_is_created_for_the_new_user(self):
                     self._patch()
                     auth_plugin = RhodeCodeAuthPlugin('stub_id')
                     auth_plugin._authenticate(self.user, 'test', 'test', [])
                     self.password_generator_mock.assert_called_once_with(length=16)
                     create_user_kwargs = self.create_user_mock.call_args[1]
                     assert create_user_kwargs['password'] == 'new-password'
                 def test_fake_password_is_not_created_for_the_existing_user(self):
                     self._patch()
                     self.get_user_mock.return_value = self.user
                     auth_plugin = RhodeCodeAuthPlugin('stub_id')
                     auth_plugin._authenticate(self.user, 'test', 'test', [])
                     assert self.password_generator_mock.called is False
                     create_user_kwargs = self.create_user_mock.call_args[1]
                     assert create_user_kwargs['password'] == self.user.password
                 def _patch(self):
                     get_user_patch = mock.patch('rhodecode.model.db.User.get_by_username')
                     self.get_user_mock = get_user_patch.start()
                     self.get_user_mock.return_value = None
                     self.finalizers.append(get_user_patch.stop)
                     create_user_patch = mock.patch(
                         'rhodecode.model.user.UserModel.create_or_update')
                     self.create_user_mock = create_user_patch.start()
                     self.create_user_mock.return_value = None
                     self.finalizers.append(create_user_patch.stop)
                     auth_patch = mock.patch.object(RhodeCodeAuthPlugin, 'auth')
                     self.auth_mock = auth_patch.start()
                     self.auth_mock.return_value = self.fake_auth
                     self.finalizers.append(auth_patch.stop)
                     password_generator_patch = mock.patch(
                         'rhodecode.lib.auth.PasswordGenerator.gen_password')
                     self.password_generator_mock = password_generator_patch.start()
                     self.password_generator_mock.return_value = 'new-password'
                     self.finalizers.append(password_generator_patch.stop)
             def test_missing_ldap():
                 from rhodecode.model.validators import Missing
                 try:
                     import ldap_not_existing
                 except ImportError:
                     # means that python-ldap is not installed
                     ldap_not_existing = Missing
                 # missing is singleton
                 assert ldap_not_existing == Missing
             def test_import_ldap():
                 from rhodecode.model.validators import Missing
                 try:
                     import ldap
                 except ImportError:
                     # means that python-ldap is not installed
                     ldap = Missing
                 # missing is singleton
                 assert False is (ldap == Missing)

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages