Show More
| @@ -0,0 +1,220 b'' | |||||
|
|
1 | # -*- coding: utf-8 -*- | |||
|
|
2 | ||||
|
|
3 | # Copyright (C) 2012-2016 RhodeCode GmbH | |||
|
|
4 | # | |||
|
|
5 | # This program is free software: you can redistribute it and/or modify | |||
|
|
6 | # it under the terms of the GNU Affero General Public License, version 3 | |||
|
|
7 | # (only), as published by the Free Software Foundation. | |||
|
|
8 | # | |||
|
|
9 | # This program is distributed in the hope that it will be useful, | |||
|
|
10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of | |||
|
|
11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |||
|
|
12 | # GNU General Public License for more details. | |||
|
|
13 | # | |||
|
|
14 | # You should have received a copy of the GNU Affero General Public License | |||
|
|
15 | # along with this program. If not, see <http://www.gnu.org/licenses/>. | |||
|
|
16 | # | |||
|
|
17 | # This program is dual-licensed. If you wish to learn more about the | |||
|
|
18 | # RhodeCode Enterprise Edition, including its added features, Support services, | |||
|
|
19 | # and proprietary license terms, please see https://rhodecode.com/licenses/ | |||
|
|
20 | ||||
|
|
21 | import colander | |||
|
|
22 | import logging | |||
|
|
23 | ||||
|
|
24 | from sqlalchemy.ext.hybrid import hybrid_property | |||
|
|
25 | ||||
|
|
26 | from rhodecode.authentication.base import RhodeCodeExternalAuthPlugin | |||
|
|
27 | from rhodecode.authentication.schema import AuthnPluginSettingsSchemaBase | |||
|
|
28 | from rhodecode.authentication.routes import AuthnPluginResourceBase | |||
|
|
29 | from rhodecode.lib.utils2 import str2bool, safe_unicode | |||
|
|
30 | from rhodecode.model.db import User | |||
|
|
31 | from rhodecode.translation import _ | |||
|
|
32 | ||||
|
|
33 | ||||
|
|
34 | log = logging.getLogger(__name__) | |||
|
|
35 | ||||
|
|
36 | ||||
|
|
37 | def plugin_factory(plugin_id, *args, **kwds): | |||
|
|
38 | """ | |||
|
|
39 | Factory function that is called during plugin discovery. | |||
|
|
40 | It returns the plugin instance. | |||
|
|
41 | """ | |||
|
|
42 | plugin = RhodeCodeAuthPlugin(plugin_id) | |||
|
|
43 | return plugin | |||
|
|
44 | ||||
|
|
45 | ||||
|
|
46 | class ContainerAuthnResource(AuthnPluginResourceBase): | |||
|
|
47 | pass | |||
|
|
48 | ||||
|
|
49 | ||||
|
|
50 | class ContainerSettingsSchema(AuthnPluginSettingsSchemaBase): | |||
|
|
51 | header = colander.SchemaNode( | |||
|
|
52 | colander.String(), | |||
|
|
53 | default='REMOTE_USER', | |||
|
|
54 | description=_('Header to extract the user from'), | |||
|
|
55 | title=_('Header'), | |||
|
|
56 | widget='string') | |||
|
|
57 | fallback_header = colander.SchemaNode( | |||
|
|
58 | colander.String(), | |||
|
|
59 | default='HTTP_X_FORWARDED_USER', | |||
|
|
60 | description=_('Header to extract the user from when main one fails'), | |||
|
|
61 | title=_('Fallback header'), | |||
|
|
62 | widget='string') | |||
|
|
63 | clean_username = colander.SchemaNode( | |||
|
|
64 | colander.Boolean(), | |||
|
|
65 | default=True, | |||
|
|
66 | description=_('Perform cleaning of user, if passed user has @ in ' | |||
|
|
67 | 'username then first part before @ is taken. ' | |||
|
|
68 | 'If there\'s \\ in the username only the part after ' | |||
|
|
69 | ' \\ is taken'), | |||
|
|
70 | missing=False, | |||
|
|
71 | title=_('Clean username'), | |||
|
|
72 | widget='bool') | |||
|
|
73 | ||||
|
|
74 | ||||
|
|
75 | class RhodeCodeAuthPlugin(RhodeCodeExternalAuthPlugin): | |||
|
|
76 | ||||
|
|
77 | def includeme(self, config): | |||
|
|
78 | config.add_authn_plugin(self) | |||
|
|
79 | config.add_authn_resource(self.get_id(), ContainerAuthnResource(self)) | |||
|
|
80 | config.add_view( | |||
|
|
81 | 'rhodecode.authentication.views.AuthnPluginViewBase', | |||
|
|
82 | attr='settings_get', | |||
|
|
83 | request_method='GET', | |||
|
|
84 | route_name='auth_home', | |||
|
|
85 | context=ContainerAuthnResource) | |||
|
|
86 | config.add_view( | |||
|
|
87 | 'rhodecode.authentication.views.AuthnPluginViewBase', | |||
|
|
88 | attr='settings_post', | |||
|
|
89 | request_method='POST', | |||
|
|
90 | route_name='auth_home', | |||
|
|
91 | context=ContainerAuthnResource) | |||
|
|
92 | ||||
|
|
93 | def get_display_name(self): | |||
|
|
94 | return _('Container') | |||
|
|
95 | ||||
|
|
96 | def get_settings_schema(self): | |||
|
|
97 | return ContainerSettingsSchema() | |||
|
|
98 | ||||
|
|
99 | @hybrid_property | |||
|
|
100 | def name(self): | |||
|
|
101 | return "container" | |||
|
|
102 | ||||
|
|
103 | @hybrid_property | |||
|
|
104 | def is_container_auth(self): | |||
|
|
105 | return True | |||
|
|
106 | ||||
|
|
107 | def use_fake_password(self): | |||
|
|
108 | return True | |||
|
|
109 | ||||
|
|
110 | def user_activation_state(self): | |||
|
|
111 | def_user_perms = User.get_default_user().AuthUser.permissions['global'] | |||
|
|
112 | return 'hg.extern_activate.auto' in def_user_perms | |||
|
|
113 | ||||
|
|
114 | def _clean_username(self, username): | |||
|
|
115 | # Removing realm and domain from username | |||
|
|
116 | username = username.split('@')[0] | |||
|
|
117 | username = username.rsplit('\\')[-1] | |||
|
|
118 | return username | |||
|
|
119 | ||||
|
|
120 | def _get_username(self, environ, settings): | |||
|
|
121 | username = None | |||
|
|
122 | environ = environ or {} | |||
|
|
123 | if not environ: | |||
|
|
124 | log.debug('got empty environ: %s' % environ) | |||
|
|
125 | ||||
|
|
126 | settings = settings or {} | |||
|
|
127 | if settings.get('header'): | |||
|
|
128 | header = settings.get('header') | |||
|
|
129 | username = environ.get(header) | |||
|
|
130 | log.debug('extracted %s:%s' % (header, username)) | |||
|
|
131 | ||||
|
|
132 | # fallback mode | |||
|
|
133 | if not username and settings.get('fallback_header'): | |||
|
|
134 | header = settings.get('fallback_header') | |||
|
|
135 | username = environ.get(header) | |||
|
|
136 | log.debug('extracted %s:%s' % (header, username)) | |||
|
|
137 | ||||
|
|
138 | if username and str2bool(settings.get('clean_username')): | |||
|
|
139 | log.debug('Received username `%s` from container' % username) | |||
|
|
140 | username = self._clean_username(username) | |||
|
|
141 | log.debug('New cleanup user is:%s' % username) | |||
|
|
142 | return username | |||
|
|
143 | ||||
|
|
144 | def get_user(self, username=None, **kwargs): | |||
|
|
145 | """ | |||
|
|
146 | Helper method for user fetching in plugins, by default it's using | |||
|
|
147 | simple fetch by username, but this method can be custimized in plugins | |||
|
|
148 | eg. container auth plugin to fetch user by environ params | |||
|
|
149 | :param username: username if given to fetch | |||
|
|
150 | :param kwargs: extra arguments needed for user fetching. | |||
|
|
151 | """ | |||
|
|
152 | environ = kwargs.get('environ') or {} | |||
|
|
153 | settings = kwargs.get('settings') or {} | |||
|
|
154 | username = self._get_username(environ, settings) | |||
|
|
155 | # we got the username, so use default method now | |||
|
|
156 | return super(RhodeCodeAuthPlugin, self).get_user(username) | |||
|
|
157 | ||||
|
|
158 | def auth(self, userobj, username, password, settings, **kwargs): | |||
|
|
159 | """ | |||
|
|
160 | Get's the container_auth username (or email). It tries to get username | |||
|
|
161 | from REMOTE_USER if this plugin is enabled, if that fails | |||
|
|
162 | it tries to get username from HTTP_X_FORWARDED_USER if fallback header | |||
|
|
163 | is set. clean_username extracts the username from this data if it's | |||
|
|
164 | having @ in it. | |||
|
|
165 | Return None on failure. On success, return a dictionary of the form: | |||
|
|
166 | ||||
|
|
167 | see: RhodeCodeAuthPluginBase.auth_func_attrs | |||
|
|
168 | ||||
|
|
169 | :param userobj: | |||
|
|
170 | :param username: | |||
|
|
171 | :param password: | |||
|
|
172 | :param settings: | |||
|
|
173 | :param kwargs: | |||
|
|
174 | """ | |||
|
|
175 | environ = kwargs.get('environ') | |||
|
|
176 | if not environ: | |||
|
|
177 | log.debug('Empty environ data skipping...') | |||
|
|
178 | return None | |||
|
|
179 | ||||
|
|
180 | if not userobj: | |||
|
|
181 | userobj = self.get_user('', environ=environ, settings=settings) | |||
|
|
182 | ||||
|
|
183 | # we don't care passed username/password for container auth plugins. | |||
|
|
184 | # only way to log in is using environ | |||
|
|
185 | username = None | |||
|
|
186 | if userobj: | |||
|
|
187 | username = getattr(userobj, 'username') | |||
|
|
188 | ||||
|
|
189 | if not username: | |||
|
|
190 | # we don't have any objects in DB user doesn't exist extrac username | |||
|
|
191 | # from environ based on the settings | |||
|
|
192 | username = self._get_username(environ, settings) | |||
|
|
193 | ||||
|
|
194 | # if cannot fetch username, it's a no-go for this plugin to proceed | |||
|
|
195 | if not username: | |||
|
|
196 | return None | |||
|
|
197 | ||||
|
|
198 | # old attrs fetched from RhodeCode database | |||
|
|
199 | admin = getattr(userobj, 'admin', False) | |||
|
|
200 | active = getattr(userobj, 'active', True) | |||
|
|
201 | email = getattr(userobj, 'email', '') | |||
|
|
202 | firstname = getattr(userobj, 'firstname', '') | |||
|
|
203 | lastname = getattr(userobj, 'lastname', '') | |||
|
|
204 | extern_type = getattr(userobj, 'extern_type', '') | |||
|
|
205 | ||||
|
|
206 | user_attrs = { | |||
|
|
207 | 'username': username, | |||
|
|
208 | 'firstname': safe_unicode(firstname or username), | |||
|
|
209 | 'lastname': safe_unicode(lastname or ''), | |||
|
|
210 | 'groups': [], | |||
|
|
211 | 'email': email or '', | |||
|
|
212 | 'admin': admin or False, | |||
|
|
213 | 'active': active, | |||
|
|
214 | 'active_from_extern': True, | |||
|
|
215 | 'extern_name': username, | |||
|
|
216 | 'extern_type': extern_type, | |||
|
|
217 | } | |||
|
|
218 | ||||
|
|
219 | log.info('user `%s` authenticated correctly' % user_attrs['username']) | |||
|
|
220 | return user_attrs | |||
| @@ -213,6 +213,7 b' setup(' | |||||
| 213 | paster_plugins=['PasteScript', 'Pylons'], |
|
213 | paster_plugins=['PasteScript', 'Pylons'], | |
| 214 | entry_points={ |
|
214 | entry_points={ | |
| 215 | 'enterprise.plugins1': [ |
|
215 | 'enterprise.plugins1': [ | |
|
|
216 | 'container=rhodecode.authentication.plugins.auth_container:plugin_factory', | |||
| 216 | 'crowd=rhodecode.authentication.plugins.auth_crowd:plugin_factory', |
|
217 | 'crowd=rhodecode.authentication.plugins.auth_crowd:plugin_factory', | |
| 217 | 'jasig_cas=rhodecode.authentication.plugins.auth_jasig_cas:plugin_factory', |
|
218 | 'jasig_cas=rhodecode.authentication.plugins.auth_jasig_cas:plugin_factory', | |
| 218 | 'ldap=rhodecode.authentication.plugins.auth_ldap:plugin_factory', |
|
219 | 'ldap=rhodecode.authentication.plugins.auth_ldap:plugin_factory', | |
General Comments 0
You need to be logged in to leave comments.
Login now