views.py
390 lines
| 15.3 KiB
| text/x-python
|
PythonLexer
r30 | # -*- coding: utf-8 -*- | |||
r1271 | # Copyright (C) 2016-2017 RhodeCode GmbH | |||
r30 | # | |||
# This program is free software: you can redistribute it and/or modify | ||||
# it under the terms of the GNU Affero General Public License, version 3 | ||||
# (only), as published by the Free Software Foundation. | ||||
# | ||||
# This program is distributed in the hope that it will be useful, | ||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | ||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||||
# GNU General Public License for more details. | ||||
# | ||||
# You should have received a copy of the GNU Affero General Public License | ||||
# along with this program. If not, see <http://www.gnu.org/licenses/>. | ||||
# | ||||
# This program is dual-licensed. If you wish to learn more about the | ||||
# RhodeCode Enterprise Edition, including its added features, Support services, | ||||
# and proprietary license terms, please see https://rhodecode.com/licenses/ | ||||
r1471 | import time | |||
Martin Bornhold
|
r1062 | import collections | ||
r30 | import datetime | |||
import formencode | ||||
import logging | ||||
import urlparse | ||||
from pylons import url | ||||
from pyramid.httpexceptions import HTTPFound | ||||
from pyramid.view import view_config | ||||
from recaptcha.client.captcha import submit | ||||
r104 | from rhodecode.authentication.base import authenticate, HTTP_TYPE | |||
r43 | from rhodecode.events import UserRegistered | |||
r1037 | from rhodecode.lib import helpers as h | |||
r30 | from rhodecode.lib.auth import ( | |||
AuthUser, HasPermissionAnyDecorator, CSRFRequired) | ||||
from rhodecode.lib.base import get_ip_addr | ||||
from rhodecode.lib.exceptions import UserCreationError | ||||
from rhodecode.lib.utils2 import safe_str | ||||
r1471 | from rhodecode.model.db import User, UserApiKeys | |||
r30 | from rhodecode.model.forms import LoginForm, RegisterForm, PasswordResetForm | |||
from rhodecode.model.meta import Session | ||||
r1471 | from rhodecode.model.auth_token import AuthTokenModel | |||
r30 | from rhodecode.model.settings import SettingsModel | |||
from rhodecode.model.user import UserModel | ||||
r51 | from rhodecode.translation import _ | |||
r30 | ||||
log = logging.getLogger(__name__) | ||||
Martin Bornhold
|
r1062 | CaptchaData = collections.namedtuple( | ||
'CaptchaData', 'active, private_key, public_key') | ||||
r30 | ||||
def _store_user_in_session(session, username, remember=False): | ||||
user = User.get_by_username(username, case_insensitive=True) | ||||
auth_user = AuthUser(user.user_id) | ||||
auth_user.set_authenticated() | ||||
cs = auth_user.get_cookie_store() | ||||
session['rhodecode_user'] = cs | ||||
user.update_lastlogin() | ||||
Session().commit() | ||||
# If they want to be remembered, update the cookie | ||||
if remember: | ||||
_year = (datetime.datetime.now() + | ||||
datetime.timedelta(seconds=60 * 60 * 24 * 365)) | ||||
session._set_cookie_expires(_year) | ||||
session.save() | ||||
r1291 | safe_cs = cs.copy() | |||
safe_cs['password'] = '****' | ||||
r30 | log.info('user %s is now authenticated and stored in ' | |||
r1291 | 'session, session attrs %s', username, safe_cs) | |||
r30 | ||||
# dumps session attrs back to cookie | ||||
session._update_cookie_out() | ||||
# we set new cookie | ||||
headers = None | ||||
if session.request['set_cookie']: | ||||
# send set-cookie headers back to response to update cookie | ||||
headers = [('Set-Cookie', session.request['cookie_out'])] | ||||
return headers | ||||
r57 | def get_came_from(request): | |||
came_from = safe_str(request.GET.get('came_from', '')) | ||||
parsed = urlparse.urlparse(came_from) | ||||
allowed_schemes = ['http', 'https'] | ||||
if parsed.scheme and parsed.scheme not in allowed_schemes: | ||||
log.error('Suspicious URL scheme detected %s for url %s' % | ||||
(parsed.scheme, parsed)) | ||||
came_from = url('home') | ||||
elif parsed.netloc and request.host != parsed.netloc: | ||||
log.error('Suspicious NETLOC detected %s for url %s server url ' | ||||
'is: %s' % (parsed.netloc, parsed, request.host)) | ||||
came_from = url('home') | ||||
elif any(bad_str in parsed.path for bad_str in ('\r', '\n')): | ||||
log.error('Header injection detected `%s` for url %s server url ' % | ||||
(parsed.path, parsed)) | ||||
came_from = url('home') | ||||
r58 | return came_from or url('home') | |||
r57 | ||||
r30 | class LoginView(object): | |||
def __init__(self, context, request): | ||||
self.request = request | ||||
self.context = context | ||||
self.session = request.session | ||||
self._rhodecode_user = request.user | ||||
def _get_template_context(self): | ||||
return { | ||||
r57 | 'came_from': get_came_from(self.request), | |||
r30 | 'defaults': {}, | |||
'errors': {}, | ||||
} | ||||
Martin Bornhold
|
r1062 | def _get_captcha_data(self): | ||
settings = SettingsModel().get_all_settings() | ||||
private_key = settings.get('rhodecode_captcha_private_key') | ||||
public_key = settings.get('rhodecode_captcha_public_key') | ||||
active = bool(private_key) | ||||
return CaptchaData( | ||||
active=active, private_key=private_key, public_key=public_key) | ||||
r30 | @view_config( | |||
route_name='login', request_method='GET', | ||||
r1282 | renderer='rhodecode:templates/login.mako') | |||
r30 | def login(self): | |||
r104 | came_from = get_came_from(self.request) | |||
r30 | user = self.request.user | |||
# redirect if already logged in | ||||
if user.is_authenticated and not user.is_default and user.ip_allowed: | ||||
r104 | raise HTTPFound(came_from) | |||
r106 | # check if we use headers plugin, and try to login using it. | |||
r104 | try: | |||
r106 | log.debug('Running PRE-AUTH for headers based authentication') | |||
r104 | auth_info = authenticate( | |||
'', '', self.request.environ, HTTP_TYPE, skip_missing=True) | ||||
if auth_info: | ||||
headers = _store_user_in_session( | ||||
self.session, auth_info.get('username')) | ||||
raise HTTPFound(came_from, headers=headers) | ||||
except UserCreationError as e: | ||||
log.error(e) | ||||
self.session.flash(e, queue='error') | ||||
r30 | ||||
return self._get_template_context() | ||||
@view_config( | ||||
route_name='login', request_method='POST', | ||||
r1282 | renderer='rhodecode:templates/login.mako') | |||
r30 | def login_post(self): | |||
r57 | came_from = get_came_from(self.request) | |||
r1321 | ||||
r30 | login_form = LoginForm()() | |||
try: | ||||
r1321 | self.session.invalidate() | |||
r30 | form_result = login_form.to_python(self.request.params) | |||
# form checks for username/password, now we're authenticated | ||||
headers = _store_user_in_session( | ||||
self.session, | ||||
username=form_result['username'], | ||||
remember=form_result['remember']) | ||||
r180 | log.debug('Redirecting to "%s" after login.', came_from) | |||
r30 | raise HTTPFound(came_from, headers=headers) | |||
except formencode.Invalid as errors: | ||||
defaults = errors.value | ||||
# remove password from filling in form again | ||||
Martin Bornhold
|
r1065 | defaults.pop('password', None) | ||
r30 | render_ctx = self._get_template_context() | |||
render_ctx.update({ | ||||
'errors': errors.error_dict, | ||||
'defaults': defaults, | ||||
}) | ||||
return render_ctx | ||||
except UserCreationError as e: | ||||
r106 | # headers auth or other auth functions that create users on | |||
r30 | # the fly can throw this exception signaling that there's issue | |||
# with user creation, explanation should be provided in | ||||
# Exception itself | ||||
r1321 | self.session.flash(e, queue='error') | |||
r30 | return self._get_template_context() | |||
@CSRFRequired() | ||||
@view_config(route_name='logout', request_method='POST') | ||||
def logout(self): | ||||
r1321 | user = self.request.user | |||
log.info('Deleting session for user: `%s`', user) | ||||
self.session.delete() | ||||
r30 | return HTTPFound(url('home')) | |||
@HasPermissionAnyDecorator( | ||||
'hg.admin', 'hg.register.auto_activate', 'hg.register.manual_activate') | ||||
@view_config( | ||||
route_name='register', request_method='GET', | ||||
r1282 | renderer='rhodecode:templates/register.mako',) | |||
r78 | def register(self, defaults=None, errors=None): | |||
defaults = defaults or {} | ||||
errors = errors or {} | ||||
r30 | settings = SettingsModel().get_all_settings() | |||
r38 | register_message = settings.get('rhodecode_register_message') or '' | |||
Martin Bornhold
|
r1062 | captcha = self._get_captcha_data() | ||
r30 | auto_active = 'hg.register.auto_activate' in User.get_default_user()\ | |||
.AuthUser.permissions['global'] | ||||
r38 | ||||
r30 | render_ctx = self._get_template_context() | |||
render_ctx.update({ | ||||
r46 | 'defaults': defaults, | |||
'errors': errors, | ||||
r30 | 'auto_active': auto_active, | |||
Martin Bornhold
|
r1062 | 'captcha_active': captcha.active, | ||
'captcha_public_key': captcha.public_key, | ||||
r38 | 'register_message': register_message, | |||
r30 | }) | |||
return render_ctx | ||||
Martin Bornhold
|
r173 | @HasPermissionAnyDecorator( | ||
'hg.admin', 'hg.register.auto_activate', 'hg.register.manual_activate') | ||||
r30 | @view_config( | |||
route_name='register', request_method='POST', | ||||
r1282 | renderer='rhodecode:templates/register.mako') | |||
r30 | def register_post(self): | |||
Martin Bornhold
|
r1062 | captcha = self._get_captcha_data() | ||
r30 | auto_active = 'hg.register.auto_activate' in User.get_default_user()\ | |||
.AuthUser.permissions['global'] | ||||
register_form = RegisterForm()() | ||||
try: | ||||
form_result = register_form.to_python(self.request.params) | ||||
form_result['active'] = auto_active | ||||
Martin Bornhold
|
r1062 | if captcha.active: | ||
r30 | response = submit( | |||
self.request.params.get('recaptcha_challenge_field'), | ||||
self.request.params.get('recaptcha_response_field'), | ||||
Martin Bornhold
|
r1062 | private_key=captcha.private_key, | ||
r45 | remoteip=get_ip_addr(self.request.environ)) | |||
Martin Bornhold
|
r1063 | if not response.is_valid: | ||
r30 | _value = form_result | |||
Martin Bornhold
|
r1064 | _msg = _('Bad captcha') | ||
r30 | error_dict = {'recaptcha_field': _msg} | |||
raise formencode.Invalid(_msg, _value, None, | ||||
error_dict=error_dict) | ||||
r43 | new_user = UserModel().create_registration(form_result) | |||
event = UserRegistered(user=new_user, session=self.session) | ||||
self.request.registry.notify(event) | ||||
r30 | self.session.flash( | |||
_('You have successfully registered with RhodeCode'), | ||||
queue='success') | ||||
Session().commit() | ||||
redirect_ro = self.request.route_path('login') | ||||
raise HTTPFound(redirect_ro) | ||||
except formencode.Invalid as errors: | ||||
Martin Bornhold
|
r1065 | errors.value.pop('password', None) | ||
errors.value.pop('password_confirmation', None) | ||||
r46 | return self.register( | |||
defaults=errors.value, errors=errors.error_dict) | ||||
r30 | ||||
except UserCreationError as e: | ||||
# container auth or other auth functions that create users on | ||||
# the fly can throw this exception signaling that there's issue | ||||
# with user creation, explanation should be provided in | ||||
# Exception itself | ||||
self.session.flash(e, queue='error') | ||||
r46 | return self.register() | |||
r30 | ||||
@view_config( | ||||
route_name='reset_password', request_method=('GET', 'POST'), | ||||
r1282 | renderer='rhodecode:templates/password_reset.mako') | |||
r30 | def password_reset(self): | |||
Martin Bornhold
|
r1062 | captcha = self._get_captcha_data() | ||
r30 | ||||
render_ctx = { | ||||
Martin Bornhold
|
r1062 | 'captcha_active': captcha.active, | ||
'captcha_public_key': captcha.public_key, | ||||
r30 | 'defaults': {}, | |||
'errors': {}, | ||||
} | ||||
r1471 | # always send implicit message to prevent from discovery of | |||
# matching emails | ||||
msg = _('If such email exists, a password reset link was sent to it.') | ||||
r30 | if self.request.POST: | |||
r1471 | if h.HasPermissionAny('hg.password_reset.disabled')(): | |||
_email = self.request.POST.get('email', '') | ||||
log.error('Failed attempt to reset password for `%s`.', _email) | ||||
self.session.flash(_('Password reset has been disabled.'), | ||||
queue='error') | ||||
return HTTPFound(self.request.route_path('reset_password')) | ||||
r30 | password_reset_form = PasswordResetForm()() | |||
try: | ||||
form_result = password_reset_form.to_python( | ||||
self.request.params) | ||||
r1471 | user_email = form_result['email'] | |||
Martin Bornhold
|
r1062 | if captcha.active: | ||
r30 | response = submit( | |||
self.request.params.get('recaptcha_challenge_field'), | ||||
self.request.params.get('recaptcha_response_field'), | ||||
Martin Bornhold
|
r1062 | private_key=captcha.private_key, | ||
r30 | remoteip=get_ip_addr(self.request.environ)) | |||
Martin Bornhold
|
r1063 | if not response.is_valid: | ||
r30 | _value = form_result | |||
Martin Bornhold
|
r1064 | _msg = _('Bad captcha') | ||
r30 | error_dict = {'recaptcha_field': _msg} | |||
r1471 | raise formencode.Invalid( | |||
_msg, _value, None, error_dict=error_dict) | ||||
# Generate reset URL and send mail. | ||||
user = User.get_by_email(user_email) | ||||
r37 | ||||
r1471 | # generate password reset token that expires in 10minutes | |||
desc = 'Generated token for password reset from {}'.format( | ||||
datetime.datetime.now().isoformat()) | ||||
reset_token = AuthTokenModel().create( | ||||
user, lifetime=10, | ||||
description=desc, | ||||
role=UserApiKeys.ROLE_PASSWORD_RESET) | ||||
Session().commit() | ||||
log.debug('Successfully created password recovery token') | ||||
r37 | password_reset_url = self.request.route_url( | |||
'reset_password_confirmation', | ||||
r1471 | _query={'key': reset_token.api_key}) | |||
r37 | UserModel().reset_password_link( | |||
form_result, password_reset_url) | ||||
# Display success message and redirect. | ||||
r1471 | self.session.flash(msg, queue='success') | |||
return HTTPFound(self.request.route_path('reset_password')) | ||||
r30 | ||||
except formencode.Invalid as errors: | ||||
render_ctx.update({ | ||||
'defaults': errors.value, | ||||
}) | ||||
r1471 | log.debug('faking response on invalid password reset') | |||
# make this take 2s, to prevent brute forcing. | ||||
time.sleep(2) | ||||
self.session.flash(msg, queue='success') | ||||
return HTTPFound(self.request.route_path('reset_password')) | ||||
r30 | ||||
return render_ctx | ||||
@view_config(route_name='reset_password_confirmation', | ||||
request_method='GET') | ||||
def password_reset_confirmation(self): | ||||
r1471 | ||||
r30 | if self.request.GET and self.request.GET.get('key'): | |||
r1471 | # make this take 2s, to prevent brute forcing. | |||
time.sleep(2) | ||||
token = AuthTokenModel().get_auth_token( | ||||
self.request.GET.get('key')) | ||||
# verify token is the correct role | ||||
if token is None or token.role != UserApiKeys.ROLE_PASSWORD_RESET: | ||||
log.debug('Got token with role:%s expected is %s', | ||||
getattr(token, 'role', 'EMPTY_TOKEN'), | ||||
UserApiKeys.ROLE_PASSWORD_RESET) | ||||
self.session.flash( | ||||
_('Given reset token is invalid'), queue='error') | ||||
return HTTPFound(self.request.route_path('reset_password')) | ||||
r30 | try: | |||
r1471 | owner = token.user | |||
data = {'email': owner.email, 'token': token.api_key} | ||||
UserModel().reset_password(data) | ||||
r30 | self.session.flash( | |||
_('Your password reset was successful, ' | ||||
'a new password has been sent to your email'), | ||||
queue='success') | ||||
except Exception as e: | ||||
log.error(e) | ||||
return HTTPFound(self.request.route_path('reset_password')) | ||||
return HTTPFound(self.request.route_path('login')) | ||||