Show More
@@ -1,141 +1,143 b'' | |||
|
1 | 1 | # -*- coding: utf-8 -*- |
|
2 | 2 | |
|
3 | 3 | # Copyright (C) 2012-2016 RhodeCode GmbH |
|
4 | 4 | # |
|
5 | 5 | # This program is free software: you can redistribute it and/or modify |
|
6 | 6 | # it under the terms of the GNU Affero General Public License, version 3 |
|
7 | 7 | # (only), as published by the Free Software Foundation. |
|
8 | 8 | # |
|
9 | 9 | # This program is distributed in the hope that it will be useful, |
|
10 | 10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
11 | 11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
12 | 12 | # GNU General Public License for more details. |
|
13 | 13 | # |
|
14 | 14 | # You should have received a copy of the GNU Affero General Public License |
|
15 | 15 | # along with this program. If not, see <http://www.gnu.org/licenses/>. |
|
16 | 16 | # |
|
17 | 17 | # This program is dual-licensed. If you wish to learn more about the |
|
18 | 18 | # RhodeCode Enterprise Edition, including its added features, Support services, |
|
19 | 19 | # and proprietary license terms, please see https://rhodecode.com/licenses/ |
|
20 | 20 | |
|
21 | 21 | """ |
|
22 | 22 | RhodeCode authentication plugin for built in internal auth |
|
23 | 23 | """ |
|
24 | 24 | |
|
25 | 25 | import logging |
|
26 | 26 | |
|
27 | 27 | from pylons.i18n.translation import lazy_ugettext as _ |
|
28 | 28 | from sqlalchemy.ext.hybrid import hybrid_property |
|
29 | 29 | |
|
30 | 30 | from rhodecode.authentication.base import RhodeCodeAuthPluginBase |
|
31 | 31 | from rhodecode.authentication.routes import AuthnPluginResourceBase |
|
32 | 32 | from rhodecode.lib.utils2 import safe_str |
|
33 | 33 | from rhodecode.model.db import User |
|
34 | 34 | |
|
35 | 35 | log = logging.getLogger(__name__) |
|
36 | 36 | |
|
37 | 37 | |
|
38 | 38 | def plugin_factory(plugin_id, *args, **kwds): |
|
39 | 39 | plugin = RhodeCodeAuthPlugin(plugin_id) |
|
40 | 40 | return plugin |
|
41 | 41 | |
|
42 | 42 | |
|
43 | 43 | class RhodecodeAuthnResource(AuthnPluginResourceBase): |
|
44 | 44 | pass |
|
45 | 45 | |
|
46 | 46 | |
|
47 | 47 | class RhodeCodeAuthPlugin(RhodeCodeAuthPluginBase): |
|
48 | 48 | |
|
49 | 49 | def includeme(self, config): |
|
50 | 50 | config.add_authn_plugin(self) |
|
51 | 51 | config.add_authn_resource(self.get_id(), RhodecodeAuthnResource(self)) |
|
52 | 52 | config.add_view( |
|
53 | 53 | 'rhodecode.authentication.views.AuthnPluginViewBase', |
|
54 | 54 | attr='settings_get', |
|
55 | 55 | renderer='rhodecode:templates/admin/auth/plugin_settings.html', |
|
56 | 56 | request_method='GET', |
|
57 | 57 | route_name='auth_home', |
|
58 | 58 | context=RhodecodeAuthnResource) |
|
59 | 59 | config.add_view( |
|
60 | 60 | 'rhodecode.authentication.views.AuthnPluginViewBase', |
|
61 | 61 | attr='settings_post', |
|
62 | 62 | renderer='rhodecode:templates/admin/auth/plugin_settings.html', |
|
63 | 63 | request_method='POST', |
|
64 | 64 | route_name='auth_home', |
|
65 | 65 | context=RhodecodeAuthnResource) |
|
66 | 66 | |
|
67 | 67 | def get_display_name(self): |
|
68 | 68 | return _('Rhodecode') |
|
69 | 69 | |
|
70 | 70 | @hybrid_property |
|
71 | 71 | def name(self): |
|
72 | 72 | return "rhodecode" |
|
73 | 73 | |
|
74 | 74 | def user_activation_state(self): |
|
75 | 75 | def_user_perms = User.get_default_user().AuthUser.permissions['global'] |
|
76 | 76 | return 'hg.register.auto_activate' in def_user_perms |
|
77 | 77 | |
|
78 | 78 | def allows_authentication_from( |
|
79 | 79 | self, user, allows_non_existing_user=True, |
|
80 | 80 | allowed_auth_plugins=None, allowed_auth_sources=None): |
|
81 | 81 | """ |
|
82 | 82 | Custom method for this auth that doesn't accept non existing users. |
|
83 | 83 | We know that user exists in our database. |
|
84 | 84 | """ |
|
85 | 85 | allows_non_existing_user = False |
|
86 | 86 | return super(RhodeCodeAuthPlugin, self).allows_authentication_from( |
|
87 | 87 | user, allows_non_existing_user=allows_non_existing_user) |
|
88 | 88 | |
|
89 | 89 | def auth(self, userobj, username, password, settings, **kwargs): |
|
90 | 90 | if not userobj: |
|
91 | 91 | log.debug('userobj was:%s skipping' % (userobj, )) |
|
92 | 92 | return None |
|
93 | 93 | if userobj.extern_type != self.name: |
|
94 | 94 | log.warning( |
|
95 | 95 | "userobj:%s extern_type mismatch got:`%s` expected:`%s`" % |
|
96 | 96 | (userobj, userobj.extern_type, self.name)) |
|
97 | 97 | return None |
|
98 | 98 | |
|
99 | 99 | user_attrs = { |
|
100 | 100 | "username": userobj.username, |
|
101 | 101 | "firstname": userobj.firstname, |
|
102 | 102 | "lastname": userobj.lastname, |
|
103 | 103 | "groups": [], |
|
104 | 104 | "email": userobj.email, |
|
105 | 105 | "admin": userobj.admin, |
|
106 | 106 | "active": userobj.active, |
|
107 | 107 | "active_from_extern": userobj.active, |
|
108 | 108 | "extern_name": userobj.user_id, |
|
109 | 109 | "extern_type": userobj.extern_type, |
|
110 | 110 | } |
|
111 | 111 | |
|
112 | 112 | log.debug("User attributes:%s" % (user_attrs, )) |
|
113 | 113 | if userobj.active: |
|
114 | 114 | from rhodecode.lib import auth |
|
115 | 115 | crypto_backend = auth.crypto_backend() |
|
116 | 116 | password_encoded = safe_str(password) |
|
117 | 117 | password_match, new_hash = crypto_backend.hash_check_with_upgrade( |
|
118 | 118 | password_encoded, userobj.password) |
|
119 | 119 | |
|
120 | 120 | if password_match and new_hash: |
|
121 | 121 | log.debug('user %s properly authenticated, but ' |
|
122 | 122 | 'requires hash change to bcrypt', userobj) |
|
123 | 123 | # if password match, and we use OLD deprecated hash, |
|
124 | 124 | # we should migrate this user hash password to the new hash |
|
125 | 125 | # we store the new returned by hash_check_with_upgrade function |
|
126 | 126 | user_attrs['_hash_migrate'] = new_hash |
|
127 | 127 | |
|
128 | 128 | if userobj.username == User.DEFAULT_USER and userobj.active: |
|
129 | 129 | log.info( |
|
130 | 130 | 'user %s authenticated correctly as anonymous user', userobj) |
|
131 | 131 | return user_attrs |
|
132 | 132 | |
|
133 | 133 | elif userobj.username == username and password_match: |
|
134 | 134 | log.info('user %s authenticated correctly', userobj) |
|
135 | 135 | return user_attrs |
|
136 | 136 | log.info("user %s had a bad password when " |
|
137 | 137 | "authenticating on this plugin", userobj) |
|
138 | 138 | return None |
|
139 | 139 | else: |
|
140 | log.warning('user %s tried auth but is disabled', userobj) | |
|
140 | log.warning( | |
|
141 | 'user `%s` failed to authenticate via %s, reason: account not ' | |
|
142 | 'active.', username, self.name) | |
|
141 | 143 | return None |
General Comments 0
You need to be logged in to leave comments.
Login now