|
|
# Copyright (C) 2012-2023 RhodeCode GmbH
|
|
|
#
|
|
|
# This program is free software: you can redistribute it and/or modify
|
|
|
# it under the terms of the GNU Affero General Public License, version 3
|
|
|
# (only), as published by the Free Software Foundation.
|
|
|
#
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
# GNU General Public License for more details.
|
|
|
#
|
|
|
# You should have received a copy of the GNU Affero General Public License
|
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
#
|
|
|
# This program is dual-licensed. If you wish to learn more about the
|
|
|
# RhodeCode Enterprise Edition, including its added features, Support services,
|
|
|
# and proprietary license terms, please see https://rhodecode.com/licenses/
|
|
|
|
|
|
import time
|
|
|
import logging
|
|
|
|
|
|
from pyramid.exceptions import ConfigurationError
|
|
|
from zope.interface import implementer
|
|
|
|
|
|
from rhodecode.authentication.interface import IAuthnPluginRegistry
|
|
|
from rhodecode.model.settings import SettingsModel
|
|
|
from rhodecode.lib.utils2 import safe_str
|
|
|
from rhodecode.lib.statsd_client import StatsdClient
|
|
|
from rhodecode.lib import rc_cache
|
|
|
|
|
|
log = logging.getLogger(__name__)
|
|
|
|
|
|
|
|
|
@implementer(IAuthnPluginRegistry)
|
|
|
class AuthenticationPluginRegistry(object):
|
|
|
|
|
|
# INI settings key to set a fallback authentication plugin.
|
|
|
fallback_plugin_key = 'rhodecode.auth_plugin_fallback'
|
|
|
|
|
|
def __init__(self, settings):
|
|
|
self._plugins = {}
|
|
|
self._fallback_plugin = settings.get(self.fallback_plugin_key, None)
|
|
|
|
|
|
def add_authn_plugin(self, config, plugin):
|
|
|
plugin_id = plugin.get_id()
|
|
|
if plugin_id in self._plugins.keys():
|
|
|
raise ConfigurationError(
|
|
|
'Cannot register authentication plugin twice: "%s"', plugin_id)
|
|
|
else:
|
|
|
log.debug('Register authentication plugin: "%s"', plugin_id)
|
|
|
self._plugins[plugin_id] = plugin
|
|
|
|
|
|
def get_plugins(self):
|
|
|
def sort_key(plugin):
|
|
|
return str.lower(safe_str(plugin.get_display_name()))
|
|
|
|
|
|
return sorted(self._plugins.values(), key=sort_key)
|
|
|
|
|
|
def get_plugin(self, plugin_id):
|
|
|
return self._plugins.get(plugin_id, None)
|
|
|
|
|
|
def get_plugin_by_uid(self, plugin_uid):
|
|
|
for plugin in self._plugins.values():
|
|
|
if plugin.uid == plugin_uid:
|
|
|
return plugin
|
|
|
|
|
|
def get_cache_call_method(self, cache=True):
|
|
|
region, _ns = self.get_cache_region()
|
|
|
|
|
|
@region.conditional_cache_on_arguments(condition=cache)
|
|
|
def _get_auth_plugins(name: str, key: str, fallback_plugin):
|
|
|
log.debug('auth-plugins: calculating plugins available for authentication')
|
|
|
|
|
|
_plugins = []
|
|
|
# Add all enabled and active plugins to the list. We iterate over the
|
|
|
# auth_plugins setting from DB because it also represents the ordering.
|
|
|
enabled_plugins = SettingsModel().get_auth_plugins()
|
|
|
raw_settings = SettingsModel().get_all_settings(cache=False)
|
|
|
|
|
|
for plugin_id in enabled_plugins:
|
|
|
plugin = self.get_plugin(plugin_id)
|
|
|
if plugin is not None and plugin.is_active(
|
|
|
plugin_cached_settings=raw_settings):
|
|
|
|
|
|
# inject settings into plugin, we can re-use the DB fetched settings here
|
|
|
plugin._settings = plugin._propagate_settings(raw_settings)
|
|
|
_plugins.append(plugin)
|
|
|
|
|
|
# Add the fallback plugin from ini file.
|
|
|
if fallback_plugin:
|
|
|
log.warning(
|
|
|
'Using fallback authentication plugin from INI file: "%s"',
|
|
|
fallback_plugin)
|
|
|
plugin = self.get_plugin(fallback_plugin)
|
|
|
if plugin is not None and plugin not in _plugins:
|
|
|
plugin._settings = plugin._propagate_settings(raw_settings)
|
|
|
_plugins.append(plugin)
|
|
|
return _plugins
|
|
|
|
|
|
return _get_auth_plugins
|
|
|
|
|
|
def get_plugins_for_authentication(self, cache=True):
|
|
|
"""
|
|
|
Returns a list of plugins which should be consulted when authenticating
|
|
|
a user. It only returns plugins which are enabled and active.
|
|
|
Additionally, it includes the fallback plugin from the INI file, if
|
|
|
`rhodecode.auth_plugin_fallback` is set to a plugin ID.
|
|
|
"""
|
|
|
|
|
|
_get_auth_plugins = self.get_cache_call_method(cache=cache)
|
|
|
|
|
|
start = time.time()
|
|
|
plugins = _get_auth_plugins('rhodecode_auth_plugins', 'v1', self._fallback_plugin)
|
|
|
|
|
|
compute_time = time.time() - start
|
|
|
log.debug('cached method:%s took %.4fs', _get_auth_plugins.__name__, compute_time)
|
|
|
|
|
|
statsd = StatsdClient.statsd
|
|
|
if statsd:
|
|
|
elapsed_time_ms = round(1000.0 * compute_time) # use ms only
|
|
|
statsd.timing("rhodecode_auth_plugins_timing.histogram", elapsed_time_ms,
|
|
|
use_decimals=False)
|
|
|
|
|
|
return plugins
|
|
|
|
|
|
@classmethod
|
|
|
def get_cache_region(cls):
|
|
|
cache_namespace_uid = 'auth_plugins.v1'
|
|
|
region = rc_cache.get_or_create_region('cache_general', cache_namespace_uid)
|
|
|
return region, cache_namespace_uid
|
|
|
|
|
|
@classmethod
|
|
|
def invalidate_auth_plugins_cache(cls, hard=True):
|
|
|
region, namespace_key = cls.get_cache_region()
|
|
|
log.debug('Invalidation cache [%s] region %s for cache_key: %s',
|
|
|
'invalidate_auth_plugins_cache', region, namespace_key)
|
|
|
|
|
|
# we use hard cleanup if invalidation is sent
|
|
|
rc_cache.clear_cache_namespace(region, namespace_key, method=rc_cache.CLEAR_DELETE)
|
|
|
|
