Show More
@@ -0,0 +1,220 b'' | |||
|
1 | # -*- coding: utf-8 -*- | |
|
2 | ||
|
3 | # Copyright (C) 2012-2016 RhodeCode GmbH | |
|
4 | # | |
|
5 | # This program is free software: you can redistribute it and/or modify | |
|
6 | # it under the terms of the GNU Affero General Public License, version 3 | |
|
7 | # (only), as published by the Free Software Foundation. | |
|
8 | # | |
|
9 | # This program is distributed in the hope that it will be useful, | |
|
10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of | |
|
11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
|
12 | # GNU General Public License for more details. | |
|
13 | # | |
|
14 | # You should have received a copy of the GNU Affero General Public License | |
|
15 | # along with this program. If not, see <http://www.gnu.org/licenses/>. | |
|
16 | # | |
|
17 | # This program is dual-licensed. If you wish to learn more about the | |
|
18 | # RhodeCode Enterprise Edition, including its added features, Support services, | |
|
19 | # and proprietary license terms, please see https://rhodecode.com/licenses/ | |
|
20 | ||
|
21 | import colander | |
|
22 | import logging | |
|
23 | ||
|
24 | from sqlalchemy.ext.hybrid import hybrid_property | |
|
25 | ||
|
26 | from rhodecode.authentication.base import RhodeCodeExternalAuthPlugin | |
|
27 | from rhodecode.authentication.schema import AuthnPluginSettingsSchemaBase | |
|
28 | from rhodecode.authentication.routes import AuthnPluginResourceBase | |
|
29 | from rhodecode.lib.utils2 import str2bool, safe_unicode | |
|
30 | from rhodecode.model.db import User | |
|
31 | from rhodecode.translation import _ | |
|
32 | ||
|
33 | ||
|
34 | log = logging.getLogger(__name__) | |
|
35 | ||
|
36 | ||
|
37 | def plugin_factory(plugin_id, *args, **kwds): | |
|
38 | """ | |
|
39 | Factory function that is called during plugin discovery. | |
|
40 | It returns the plugin instance. | |
|
41 | """ | |
|
42 | plugin = RhodeCodeAuthPlugin(plugin_id) | |
|
43 | return plugin | |
|
44 | ||
|
45 | ||
|
46 | class ContainerAuthnResource(AuthnPluginResourceBase): | |
|
47 | pass | |
|
48 | ||
|
49 | ||
|
50 | class ContainerSettingsSchema(AuthnPluginSettingsSchemaBase): | |
|
51 | header = colander.SchemaNode( | |
|
52 | colander.String(), | |
|
53 | default='REMOTE_USER', | |
|
54 | description=_('Header to extract the user from'), | |
|
55 | title=_('Header'), | |
|
56 | widget='string') | |
|
57 | fallback_header = colander.SchemaNode( | |
|
58 | colander.String(), | |
|
59 | default='HTTP_X_FORWARDED_USER', | |
|
60 | description=_('Header to extract the user from when main one fails'), | |
|
61 | title=_('Fallback header'), | |
|
62 | widget='string') | |
|
63 | clean_username = colander.SchemaNode( | |
|
64 | colander.Boolean(), | |
|
65 | default=True, | |
|
66 | description=_('Perform cleaning of user, if passed user has @ in ' | |
|
67 | 'username then first part before @ is taken. ' | |
|
68 | 'If there\'s \\ in the username only the part after ' | |
|
69 | ' \\ is taken'), | |
|
70 | missing=False, | |
|
71 | title=_('Clean username'), | |
|
72 | widget='bool') | |
|
73 | ||
|
74 | ||
|
75 | class RhodeCodeAuthPlugin(RhodeCodeExternalAuthPlugin): | |
|
76 | ||
|
77 | def includeme(self, config): | |
|
78 | config.add_authn_plugin(self) | |
|
79 | config.add_authn_resource(self.get_id(), ContainerAuthnResource(self)) | |
|
80 | config.add_view( | |
|
81 | 'rhodecode.authentication.views.AuthnPluginViewBase', | |
|
82 | attr='settings_get', | |
|
83 | request_method='GET', | |
|
84 | route_name='auth_home', | |
|
85 | context=ContainerAuthnResource) | |
|
86 | config.add_view( | |
|
87 | 'rhodecode.authentication.views.AuthnPluginViewBase', | |
|
88 | attr='settings_post', | |
|
89 | request_method='POST', | |
|
90 | route_name='auth_home', | |
|
91 | context=ContainerAuthnResource) | |
|
92 | ||
|
93 | def get_display_name(self): | |
|
94 | return _('Container') | |
|
95 | ||
|
96 | def get_settings_schema(self): | |
|
97 | return ContainerSettingsSchema() | |
|
98 | ||
|
99 | @hybrid_property | |
|
100 | def name(self): | |
|
101 | return "container" | |
|
102 | ||
|
103 | @hybrid_property | |
|
104 | def is_container_auth(self): | |
|
105 | return True | |
|
106 | ||
|
107 | def use_fake_password(self): | |
|
108 | return True | |
|
109 | ||
|
110 | def user_activation_state(self): | |
|
111 | def_user_perms = User.get_default_user().AuthUser.permissions['global'] | |
|
112 | return 'hg.extern_activate.auto' in def_user_perms | |
|
113 | ||
|
114 | def _clean_username(self, username): | |
|
115 | # Removing realm and domain from username | |
|
116 | username = username.split('@')[0] | |
|
117 | username = username.rsplit('\\')[-1] | |
|
118 | return username | |
|
119 | ||
|
120 | def _get_username(self, environ, settings): | |
|
121 | username = None | |
|
122 | environ = environ or {} | |
|
123 | if not environ: | |
|
124 | log.debug('got empty environ: %s' % environ) | |
|
125 | ||
|
126 | settings = settings or {} | |
|
127 | if settings.get('header'): | |
|
128 | header = settings.get('header') | |
|
129 | username = environ.get(header) | |
|
130 | log.debug('extracted %s:%s' % (header, username)) | |
|
131 | ||
|
132 | # fallback mode | |
|
133 | if not username and settings.get('fallback_header'): | |
|
134 | header = settings.get('fallback_header') | |
|
135 | username = environ.get(header) | |
|
136 | log.debug('extracted %s:%s' % (header, username)) | |
|
137 | ||
|
138 | if username and str2bool(settings.get('clean_username')): | |
|
139 | log.debug('Received username `%s` from container' % username) | |
|
140 | username = self._clean_username(username) | |
|
141 | log.debug('New cleanup user is:%s' % username) | |
|
142 | return username | |
|
143 | ||
|
144 | def get_user(self, username=None, **kwargs): | |
|
145 | """ | |
|
146 | Helper method for user fetching in plugins, by default it's using | |
|
147 | simple fetch by username, but this method can be custimized in plugins | |
|
148 | eg. container auth plugin to fetch user by environ params | |
|
149 | :param username: username if given to fetch | |
|
150 | :param kwargs: extra arguments needed for user fetching. | |
|
151 | """ | |
|
152 | environ = kwargs.get('environ') or {} | |
|
153 | settings = kwargs.get('settings') or {} | |
|
154 | username = self._get_username(environ, settings) | |
|
155 | # we got the username, so use default method now | |
|
156 | return super(RhodeCodeAuthPlugin, self).get_user(username) | |
|
157 | ||
|
158 | def auth(self, userobj, username, password, settings, **kwargs): | |
|
159 | """ | |
|
160 | Get's the container_auth username (or email). It tries to get username | |
|
161 | from REMOTE_USER if this plugin is enabled, if that fails | |
|
162 | it tries to get username from HTTP_X_FORWARDED_USER if fallback header | |
|
163 | is set. clean_username extracts the username from this data if it's | |
|
164 | having @ in it. | |
|
165 | Return None on failure. On success, return a dictionary of the form: | |
|
166 | ||
|
167 | see: RhodeCodeAuthPluginBase.auth_func_attrs | |
|
168 | ||
|
169 | :param userobj: | |
|
170 | :param username: | |
|
171 | :param password: | |
|
172 | :param settings: | |
|
173 | :param kwargs: | |
|
174 | """ | |
|
175 | environ = kwargs.get('environ') | |
|
176 | if not environ: | |
|
177 | log.debug('Empty environ data skipping...') | |
|
178 | return None | |
|
179 | ||
|
180 | if not userobj: | |
|
181 | userobj = self.get_user('', environ=environ, settings=settings) | |
|
182 | ||
|
183 | # we don't care passed username/password for container auth plugins. | |
|
184 | # only way to log in is using environ | |
|
185 | username = None | |
|
186 | if userobj: | |
|
187 | username = getattr(userobj, 'username') | |
|
188 | ||
|
189 | if not username: | |
|
190 | # we don't have any objects in DB user doesn't exist extrac username | |
|
191 | # from environ based on the settings | |
|
192 | username = self._get_username(environ, settings) | |
|
193 | ||
|
194 | # if cannot fetch username, it's a no-go for this plugin to proceed | |
|
195 | if not username: | |
|
196 | return None | |
|
197 | ||
|
198 | # old attrs fetched from RhodeCode database | |
|
199 | admin = getattr(userobj, 'admin', False) | |
|
200 | active = getattr(userobj, 'active', True) | |
|
201 | email = getattr(userobj, 'email', '') | |
|
202 | firstname = getattr(userobj, 'firstname', '') | |
|
203 | lastname = getattr(userobj, 'lastname', '') | |
|
204 | extern_type = getattr(userobj, 'extern_type', '') | |
|
205 | ||
|
206 | user_attrs = { | |
|
207 | 'username': username, | |
|
208 | 'firstname': safe_unicode(firstname or username), | |
|
209 | 'lastname': safe_unicode(lastname or ''), | |
|
210 | 'groups': [], | |
|
211 | 'email': email or '', | |
|
212 | 'admin': admin or False, | |
|
213 | 'active': active, | |
|
214 | 'active_from_extern': True, | |
|
215 | 'extern_name': username, | |
|
216 | 'extern_type': extern_type, | |
|
217 | } | |
|
218 | ||
|
219 | log.info('user `%s` authenticated correctly' % user_attrs['username']) | |
|
220 | return user_attrs |
@@ -213,6 +213,7 b' setup(' | |||
|
213 | 213 | paster_plugins=['PasteScript', 'Pylons'], |
|
214 | 214 | entry_points={ |
|
215 | 215 | 'enterprise.plugins1': [ |
|
216 | 'container=rhodecode.authentication.plugins.auth_container:plugin_factory', | |
|
216 | 217 | 'crowd=rhodecode.authentication.plugins.auth_crowd:plugin_factory', |
|
217 | 218 | 'jasig_cas=rhodecode.authentication.plugins.auth_jasig_cas:plugin_factory', |
|
218 | 219 | 'ldap=rhodecode.authentication.plugins.auth_ldap:plugin_factory', |
General Comments 0
You need to be logged in to leave comments.
Login now