u/ewong/rhodecode-enterprise-ce-fork Commit - r441:d8a74f85

1

# -*- coding: utf-8 -*-

1

# -*- coding: utf-8 -*-

2

3

4

#

4

#

5

# This program is free software: you can redistribute it and/or modify

5

# This program is free software: you can redistribute it and/or modify

6

# it under the terms of the GNU Affero General Public License, version 3

6

# it under the terms of the GNU Affero General Public License, version 3

7

# (only), as published by the Free Software Foundation.

7

# (only), as published by the Free Software Foundation.

8

#

8

#

9

# This program is distributed in the hope that it will be useful,

9

# This program is distributed in the hope that it will be useful,

10

# but WITHOUT ANY WARRANTY; without even the implied warranty of

10

# but WITHOUT ANY WARRANTY; without even the implied warranty of

11

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

11

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

12

# GNU General Public License for more details.

12

# GNU General Public License for more details.

13

#

13

#

14

# You should have received a copy of the GNU Affero General Public License

14

# You should have received a copy of the GNU Affero General Public License

15

# along with this program. If not, see <http://www.gnu.org/licenses/>.

15

# along with this program. If not, see <http://www.gnu.org/licenses/>.

16

#

16

#

17

# This program is dual-licensed. If you wish to learn more about the

17

# This program is dual-licensed. If you wish to learn more about the

18

# RhodeCode Enterprise Edition, including its added features, Support services,

18

# RhodeCode Enterprise Edition, including its added features, Support services,

19

# and proprietary license terms, please see https://rhodecode.com/licenses/

19

# and proprietary license terms, please see https://rhodecode.com/licenses/

20

21

"""

21

"""

22

RhodeCode authentication plugin for built in internal auth

22

RhodeCode authentication plugin for built in internal auth

23

"""

23

"""

24

25

import logging

25

import logging

26

27

from pylons.i18n.translation import lazy_ugettext as _

27

from pylons.i18n.translation import lazy_ugettext as _

28

from sqlalchemy.ext.hybrid import hybrid_property

28

from sqlalchemy.ext.hybrid import hybrid_property

29

30

from rhodecode.authentication.base import RhodeCodeAuthPluginBase

30

from rhodecode.authentication.base import RhodeCodeAuthPluginBase

31

from rhodecode.authentication.routes import AuthnPluginResourceBase

31

from rhodecode.authentication.routes import AuthnPluginResourceBase

32

from rhodecode.lib.utils2 import safe_str

32

from rhodecode.lib.utils2 import safe_str

33

from rhodecode.model.db import User

33

from rhodecode.model.db import User

34

35

log = logging.getLogger(__name__)

35

log = logging.getLogger(__name__)

36

37

38

def plugin_factory(plugin_id, *args, **kwds):

38

def plugin_factory(plugin_id, *args, **kwds):

39

plugin = RhodeCodeAuthPlugin(plugin_id)

39

plugin = RhodeCodeAuthPlugin(plugin_id)

40

return plugin

40

return plugin

41

42

43

class RhodecodeAuthnResource(AuthnPluginResourceBase):

43

class RhodecodeAuthnResource(AuthnPluginResourceBase):

44

pass

44

pass

45

46

47

class RhodeCodeAuthPlugin(RhodeCodeAuthPluginBase):

47

class RhodeCodeAuthPlugin(RhodeCodeAuthPluginBase):

48

49

def includeme(self, config):

49

def includeme(self, config):

50

config.add_authn_plugin(self)

50

config.add_authn_plugin(self)

51

config.add_authn_resource(self.get_id(), RhodecodeAuthnResource(self))

51

config.add_authn_resource(self.get_id(), RhodecodeAuthnResource(self))

52

config.add_view(

52

config.add_view(

53

'rhodecode.authentication.views.AuthnPluginViewBase',

53

'rhodecode.authentication.views.AuthnPluginViewBase',

54

attr='settings_get',

54

attr='settings_get',

55

renderer='rhodecode:templates/admin/auth/plugin_settings.html',

55

renderer='rhodecode:templates/admin/auth/plugin_settings.html',

56

request_method='GET',

56

request_method='GET',

57

route_name='auth_home',

57

route_name='auth_home',

58

context=RhodecodeAuthnResource)

58

context=RhodecodeAuthnResource)

59

config.add_view(

59

config.add_view(

60

'rhodecode.authentication.views.AuthnPluginViewBase',

60

'rhodecode.authentication.views.AuthnPluginViewBase',

61

attr='settings_post',

61

attr='settings_post',

62

renderer='rhodecode:templates/admin/auth/plugin_settings.html',

62

renderer='rhodecode:templates/admin/auth/plugin_settings.html',

63

request_method='POST',

63

request_method='POST',

64

route_name='auth_home',

64

route_name='auth_home',

65

context=RhodecodeAuthnResource)

65

context=RhodecodeAuthnResource)

66

67

def get_display_name(self):

67

def get_display_name(self):

68

return _('Rhodecode')

68

return _('Rhodecode')

69

70

@hybrid_property

70

@hybrid_property

71

def name(self):

71

def name(self):

72

return "rhodecode"

72

return "rhodecode"

73

74

def user_activation_state(self):

74

def user_activation_state(self):

75

def_user_perms = User.get_default_user().AuthUser.permissions['global']

75

def_user_perms = User.get_default_user().AuthUser.permissions['global']

76

return 'hg.register.auto_activate' in def_user_perms

76

return 'hg.register.auto_activate' in def_user_perms

77

78

def allows_authentication_from(

78

def allows_authentication_from(

79

self, user, allows_non_existing_user=True,

79

self, user, allows_non_existing_user=True,

80

allowed_auth_plugins=None, allowed_auth_sources=None):

80

allowed_auth_plugins=None, allowed_auth_sources=None):

81

"""

81

"""

82

Custom method for this auth that doesn't accept non existing users.

82

Custom method for this auth that doesn't accept non existing users.

83

We know that user exists in our database.

83

We know that user exists in our database.

84

"""

84

"""

85

allows_non_existing_user = False

85

allows_non_existing_user = False

86

return super(RhodeCodeAuthPlugin, self).allows_authentication_from(

86

return super(RhodeCodeAuthPlugin, self).allows_authentication_from(

87

user, allows_non_existing_user=allows_non_existing_user)

87

user, allows_non_existing_user=allows_non_existing_user)

88

89

def auth(self, userobj, username, password, settings, **kwargs):

89

def auth(self, userobj, username, password, settings, **kwargs):

90

if not userobj:

90

if not userobj:

91

log.debug('userobj was:%s skipping' % (userobj, ))

91

log.debug('userobj was:%s skipping' % (userobj, ))

92

return None

92

return None

93

if userobj.extern_type != self.name:

93

if userobj.extern_type != self.name:

94

log.warning(

94

log.warning(

95

"userobj:%s extern_type mismatch got:`%s` expected:`%s`" %

95

"userobj:%s extern_type mismatch got:`%s` expected:`%s`" %

96

(userobj, userobj.extern_type, self.name))

96

(userobj, userobj.extern_type, self.name))

97

return None

97

return None

98

99

user_attrs = {

99

user_attrs = {

100

"username": userobj.username,

100

"username": userobj.username,

101

"firstname": userobj.firstname,

101

"firstname": userobj.firstname,

102

"lastname": userobj.lastname,

102

"lastname": userobj.lastname,

103

"groups": [],

103

"groups": [],

104

"email": userobj.email,

104

"email": userobj.email,

105

"admin": userobj.admin,

105

"admin": userobj.admin,

106

"active": userobj.active,

106

"active": userobj.active,

107

"active_from_extern": userobj.active,

107

"active_from_extern": userobj.active,

108

"extern_name": userobj.user_id,

108

"extern_name": userobj.user_id,

109

"extern_type": userobj.extern_type,

109

"extern_type": userobj.extern_type,

110

}

110

}

111

112

log.debug("User attributes:%s" % (user_attrs, ))

112

log.debug("User attributes:%s" % (user_attrs, ))

113

if userobj.active:

113

if userobj.active:

114

from rhodecode.lib import auth

114

from rhodecode.lib import auth

115

crypto_backend = auth.crypto_backend()

115

crypto_backend = auth.crypto_backend()

116

password_encoded = safe_str(password)

116

password_encoded = safe_str(password)

117

password_match, new_hash = crypto_backend.hash_check_with_upgrade(

117

password_match, new_hash = crypto_backend.hash_check_with_upgrade(

118

password_encoded, userobj.password)

118

password_encoded, userobj.password)

119

120

if password_match and new_hash:

120

if password_match and new_hash:

121

log.debug('user %s properly authenticated, but '

121

log.debug('user %s properly authenticated, but '

122

'requires hash change to bcrypt', userobj)

122

'requires hash change to bcrypt', userobj)

123

# if password match, and we use OLD deprecated hash,

123

# if password match, and we use OLD deprecated hash,

124

# we should migrate this user hash password to the new hash

124

# we should migrate this user hash password to the new hash

125

# we store the new returned by hash_check_with_upgrade function

125

# we store the new returned by hash_check_with_upgrade function

126

user_attrs['_hash_migrate'] = new_hash

126

user_attrs['_hash_migrate'] = new_hash

127

128

if userobj.username == User.DEFAULT_USER and userobj.active:

128

if userobj.username == User.DEFAULT_USER and userobj.active:

129

log.info(

129

log.info(

130

'user %s authenticated correctly as anonymous user', userobj)

130

'user %s authenticated correctly as anonymous user', userobj)

131

return user_attrs

131

return user_attrs

132

133

elif userobj.username == username and password_match:

133

elif userobj.username == username and password_match:

134

log.info('user %s authenticated correctly', userobj)

134

log.info('user %s authenticated correctly', userobj)

135

return user_attrs

135

return user_attrs

136

log.info("user %s had a bad password when "

136

log.info("user %s had a bad password when "

137

"authenticating on this plugin", userobj)

137

"authenticating on this plugin", userobj)

138

return None

138

return None

139

else:

139

else:

140

log.warning('user %s tried auth but is disabled', userobj)

140

log.warning(

141

'user `%s` failed to authenticate via %s, reason: account not '

142

'active.', username, self.name)

141

return None

143

return None

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             # -*- coding: utf-8 -*-
             # Copyright (C) 2012-2016  RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             RhodeCode authentication plugin for built in internal auth
             """
             import logging
             from pylons.i18n.translation import lazy_ugettext as _
             from sqlalchemy.ext.hybrid import hybrid_property
             from rhodecode.authentication.base import RhodeCodeAuthPluginBase
             from rhodecode.authentication.routes import AuthnPluginResourceBase
             from rhodecode.lib.utils2 import safe_str
             from rhodecode.model.db import User
             log = logging.getLogger(__name__)
             def plugin_factory(plugin_id, *args, **kwds):
                 plugin = RhodeCodeAuthPlugin(plugin_id)
                 return plugin
             class RhodecodeAuthnResource(AuthnPluginResourceBase):
                 pass
             class RhodeCodeAuthPlugin(RhodeCodeAuthPluginBase):
                 def includeme(self, config):
                     config.add_authn_plugin(self)
                     config.add_authn_resource(self.get_id(), RhodecodeAuthnResource(self))
                     config.add_view(
                         'rhodecode.authentication.views.AuthnPluginViewBase',
                         attr='settings_get',
                         renderer='rhodecode:templates/admin/auth/plugin_settings.html',
                         request_method='GET',
                         route_name='auth_home',
                         context=RhodecodeAuthnResource)
                     config.add_view(
                         'rhodecode.authentication.views.AuthnPluginViewBase',
                         attr='settings_post',
                         renderer='rhodecode:templates/admin/auth/plugin_settings.html',
                         request_method='POST',
                         route_name='auth_home',
                         context=RhodecodeAuthnResource)
                 def get_display_name(self):
                     return _('Rhodecode')
                 @hybrid_property
                 def name(self):
                     return "rhodecode"
                 def user_activation_state(self):
                     def_user_perms = User.get_default_user().AuthUser.permissions['global']
                     return 'hg.register.auto_activate' in def_user_perms
                 def allows_authentication_from(
                         self, user, allows_non_existing_user=True,
                         allowed_auth_plugins=None, allowed_auth_sources=None):
                     """
                     Custom method for this auth that doesn't accept non existing users.
                     We know that user exists in our database.
                     """
                     allows_non_existing_user = False
                     return super(RhodeCodeAuthPlugin, self).allows_authentication_from(
                         user, allows_non_existing_user=allows_non_existing_user)
                 def auth(self, userobj, username, password, settings, **kwargs):
                     if not userobj:
                         log.debug('userobj was:%s skipping' % (userobj, ))
                         return None
                     if userobj.extern_type != self.name:
                         log.warning(
                             "userobj:%s extern_type mismatch got:`%s` expected:`%s`" %
                             (userobj, userobj.extern_type, self.name))
                         return None
                     user_attrs = {
                         "username": userobj.username,
                         "firstname": userobj.firstname,
                         "lastname": userobj.lastname,
                         "groups": [],
                         "email": userobj.email,
                         "admin": userobj.admin,
                         "active": userobj.active,
                         "active_from_extern": userobj.active,
                         "extern_name": userobj.user_id,
                         "extern_type": userobj.extern_type,
                     }
                     log.debug("User attributes:%s" % (user_attrs, ))
                     if userobj.active:
                         from rhodecode.lib import auth
                         crypto_backend = auth.crypto_backend()
                         password_encoded = safe_str(password)
                         password_match, new_hash = crypto_backend.hash_check_with_upgrade(
                             password_encoded, userobj.password)
                         if password_match and new_hash:
                             log.debug('user %s properly authenticated, but '
                                       'requires hash change to bcrypt', userobj)
                             # if password match, and we use OLD deprecated hash,
                             # we should migrate this user hash password to the new hash
                             # we store the new returned by hash_check_with_upgrade function
                             user_attrs['_hash_migrate'] = new_hash
                         if userobj.username == User.DEFAULT_USER and userobj.active:
                             log.info(
                                 'user %s authenticated correctly as anonymous user', userobj)
                             return user_attrs
                         elif userobj.username == username and password_match:
                             log.info('user %s authenticated correctly', userobj)
                             return user_attrs
                         log.info("user %s had a bad password when "
                                  "authenticating on this plugin", userobj)
                         return None
                     else:
-                        log.warning('user %s tried auth but is disabled', userobj)
+                        log.warning(
+                            'user `%s` failed to authenticate via %s, reason: account not '
+                            'active.', username, self.name)
                         return None