# HG changeset patch
# User Marcin Kuzminski <marcin@rhodecode.com>
# Date 2018-01-24 15:47:06
# Node ID 4f07613493866fe8cf48eb13343beac8694fefd6
# Parent  fbc4bf4c517a9f64065cbd7a3ae94a027b3b0426

authentication: introduce a group sync flag for plugins.

- we'll skip any syncing on plugins which simply don't get any group information
- we let plugins define if they wish to sync groups
- prevent from odd cases in which someone sets user groups as syncing, and using regular
plugin. In this case memebership of that group would be wiped, and it's generaly bad behaviour.

diff --git a/rhodecode/authentication/base.py b/rhodecode/authentication/base.py
--- a/rhodecode/authentication/base.py
+++ b/rhodecode/authentication/base.py
@@ -77,7 +77,6 @@ class hybrid_property(object):
         self.fdel(instance)
 
 
-
 class LazyFormencode(object):
     def __init__(self, formencode_obj, *args, **kwargs):
         self.formencode_obj = formencode_obj
@@ -106,6 +105,8 @@ class RhodeCodeAuthPluginBase(object):
         "lastname": "last name",
         "email": "email address",
         "groups": '["list", "of", "groups"]',
+        "user_group_sync":
+            'True|False defines if returned user groups should be synced',
         "extern_name": "name in external source of record",
         "extern_type": "type of external source of record",
         "admin": 'True|False defines if user should be RhodeCode super admin',
@@ -114,6 +115,7 @@ class RhodeCodeAuthPluginBase(object):
         "active_from_extern":
             "True|False\None, active state from the external auth, "
             "None means use definition from RhodeCode extern_type active value"
+
     }
     # set on authenticate() method and via set_auth_type func.
     auth_type = None
@@ -412,8 +414,9 @@ class RhodeCodeAuthPluginBase(object):
             new_hash = auth.get('_hash_migrate')
             if new_hash:
                 self._migrate_hash_to_bcrypt(username, passwd, new_hash)
+            if 'user_group_sync' not in auth:
+                auth['user_group_sync'] = False
             return self._validate_auth_return(auth)
-
         return auth
 
     def _migrate_hash_to_bcrypt(self, username, password, new_hash):
@@ -538,16 +541,19 @@ class RhodeCodeExternalAuthPlugin(RhodeC
             # enforce user is just in given groups, all of them has to be ones
             # created from plugins. We store this info in _group_data JSON
             # field
-            try:
-                groups = auth['groups'] or []
-                log.debug(
-                    'Performing user_group sync based on set `%s` '
-                    'returned by this plugin', groups)
-                UserGroupModel().enforce_groups(user, groups, self.name)
-            except Exception:
-                # for any reason group syncing fails, we should
-                # proceed with login
-                log.error(traceback.format_exc())
+
+            if auth['user_group_sync']:
+                try:
+                    groups = auth['groups'] or []
+                    log.debug(
+                        'Performing user_group sync based on set `%s` '
+                        'returned by `%s` plugin', groups, self.name)
+                    UserGroupModel().enforce_groups(user, groups, self.name)
+                except Exception:
+                    # for any reason group syncing fails, we should
+                    # proceed with login
+                    log.error(traceback.format_exc())
+
             Session().commit()
         return auth
 
@@ -671,7 +677,7 @@ def authenticate(username, password, env
                 environ=environ or {})
 
         if plugin_cache_active:
-            log.debug('Trying to fetch cached auth by %s', _password_hash[:6])
+            log.debug('Trying to fetch cached auth by `...%s`', _password_hash[:6])
             plugin_user = cache_manager.get(
                 _password_hash, createfunc=auth_func)
         else:
diff --git a/rhodecode/authentication/plugins/auth_crowd.py b/rhodecode/authentication/plugins/auth_crowd.py
--- a/rhodecode/authentication/plugins/auth_crowd.py
+++ b/rhodecode/authentication/plugins/auth_crowd.py
@@ -267,6 +267,7 @@ class RhodeCodeAuthPlugin(RhodeCodeExter
             'firstname': crowd_user["first-name"] or firstname,
             'lastname': crowd_user["last-name"] or lastname,
             'groups': crowd_user["groups"],
+            'user_group_sync': True,
             'email': crowd_user["email"] or email,
             'admin': admin,
             'active': active,
diff --git a/rhodecode/authentication/plugins/auth_headers.py b/rhodecode/authentication/plugins/auth_headers.py
--- a/rhodecode/authentication/plugins/auth_headers.py
+++ b/rhodecode/authentication/plugins/auth_headers.py
@@ -212,6 +212,7 @@ class RhodeCodeAuthPlugin(RhodeCodeExter
             'firstname': safe_unicode(firstname or username),
             'lastname': safe_unicode(lastname or ''),
             'groups': [],
+            'user_group_sync': False,
             'email': email or '',
             'admin': admin or False,
             'active': active,
diff --git a/rhodecode/authentication/plugins/auth_jasig_cas.py b/rhodecode/authentication/plugins/auth_jasig_cas.py
--- a/rhodecode/authentication/plugins/auth_jasig_cas.py
+++ b/rhodecode/authentication/plugins/auth_jasig_cas.py
@@ -154,6 +154,7 @@ class RhodeCodeAuthPlugin(RhodeCodeExter
             'firstname': safe_unicode(firstname or username),
             'lastname': safe_unicode(lastname or ''),
             'groups': [],
+            'user_group_sync': False,
             'email': email or '',
             'admin': admin or False,
             'active': active,
diff --git a/rhodecode/authentication/plugins/auth_ldap.py b/rhodecode/authentication/plugins/auth_ldap.py
--- a/rhodecode/authentication/plugins/auth_ldap.py
+++ b/rhodecode/authentication/plugins/auth_ldap.py
@@ -460,6 +460,7 @@ class RhodeCodeAuthPlugin(RhodeCodeExter
                 'lastname': safe_unicode(
                     get_ldap_attr('attr_lastname') or lastname),
                 'groups': groups,
+                'user_group_sync': False,
                 'email': get_ldap_attr('attr_email') or email,
                 'admin': admin,
                 'active': active,
diff --git a/rhodecode/authentication/plugins/auth_pam.py b/rhodecode/authentication/plugins/auth_pam.py
--- a/rhodecode/authentication/plugins/auth_pam.py
+++ b/rhodecode/authentication/plugins/auth_pam.py
@@ -136,6 +136,7 @@ class RhodeCodeAuthPlugin(RhodeCodeExter
             'lastname': lastname,
             'groups': [g.gr_name for g in grp.getgrall()
                        if username in g.gr_mem],
+            'user_group_sync': True,
             'email': email,
             'admin': admin,
             'active': active,
diff --git a/rhodecode/authentication/plugins/auth_rhodecode.py b/rhodecode/authentication/plugins/auth_rhodecode.py
--- a/rhodecode/authentication/plugins/auth_rhodecode.py
+++ b/rhodecode/authentication/plugins/auth_rhodecode.py
@@ -100,6 +100,7 @@ class RhodeCodeAuthPlugin(RhodeCodeAuthP
             "firstname": userobj.firstname,
             "lastname": userobj.lastname,
             "groups": [],
+            'user_group_sync': False,
             "email": userobj.email,
             "admin": userobj.admin,
             "active": userobj.active,
diff --git a/rhodecode/authentication/plugins/auth_token.py b/rhodecode/authentication/plugins/auth_token.py
--- a/rhodecode/authentication/plugins/auth_token.py
+++ b/rhodecode/authentication/plugins/auth_token.py
@@ -111,6 +111,7 @@ class RhodeCodeAuthPlugin(RhodeCodeAuthP
             "firstname": userobj.firstname,
             "lastname": userobj.lastname,
             "groups": [],
+            'user_group_sync': False,
             "email": userobj.email,
             "admin": userobj.admin,
             "active": userobj.active,