##// END OF EJS Templates
celery: ping db connection before task execution to recycle db connections.
celery: ping db connection before task execution to recycle db connections.

File last commit:

r3387:8a62bda2 default
r3390:02f7713a default
Show More
auth_rhodecode.py
186 lines | 6.9 KiB | text/x-python | PythonLexer
# -*- coding: utf-8 -*-
# Copyright (C) 2012-2019 RhodeCode GmbH
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License, version 3
# (only), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# This program is dual-licensed. If you wish to learn more about the
# RhodeCode Enterprise Edition, including its added features, Support services,
# and proprietary license terms, please see https://rhodecode.com/licenses/
"""
RhodeCode authentication plugin for built in internal auth
"""
import logging
import colander
from rhodecode.authentication.schema import AuthnPluginSettingsSchemaBase
from rhodecode.translation import _
from rhodecode.authentication.base import RhodeCodeAuthPluginBase, hybrid_property
from rhodecode.authentication.routes import AuthnPluginResourceBase
from rhodecode.lib.utils2 import safe_str
from rhodecode.model.db import User
log = logging.getLogger(__name__)
def plugin_factory(plugin_id, *args, **kwargs):
plugin = RhodeCodeAuthPlugin(plugin_id)
return plugin
class RhodecodeAuthnResource(AuthnPluginResourceBase):
pass
class RhodeCodeAuthPlugin(RhodeCodeAuthPluginBase):
uid = 'rhodecode'
LOGIN_RESTRICTION_NONE = 'none'
LOGIN_RESTRICTION_SUPER_ADMIN = 'super_admin'
def includeme(self, config):
config.add_authn_plugin(self)
config.add_authn_resource(self.get_id(), RhodecodeAuthnResource(self))
config.add_view(
'rhodecode.authentication.views.AuthnPluginViewBase',
attr='settings_get',
renderer='rhodecode:templates/admin/auth/plugin_settings.mako',
request_method='GET',
route_name='auth_home',
context=RhodecodeAuthnResource)
config.add_view(
'rhodecode.authentication.views.AuthnPluginViewBase',
attr='settings_post',
renderer='rhodecode:templates/admin/auth/plugin_settings.mako',
request_method='POST',
route_name='auth_home',
context=RhodecodeAuthnResource)
def get_settings_schema(self):
return RhodeCodeSettingsSchema()
def get_display_name(self):
return _('RhodeCode Internal')
@classmethod
def docs(cls):
return "https://docs.rhodecode.com/RhodeCode-Enterprise/auth/auth.html"
@hybrid_property
def name(self):
return u"rhodecode"
def user_activation_state(self):
def_user_perms = User.get_default_user().AuthUser().permissions['global']
return 'hg.register.auto_activate' in def_user_perms
def allows_authentication_from(
self, user, allows_non_existing_user=True,
allowed_auth_plugins=None, allowed_auth_sources=None):
"""
Custom method for this auth that doesn't accept non existing users.
We know that user exists in our database.
"""
allows_non_existing_user = False
return super(RhodeCodeAuthPlugin, self).allows_authentication_from(
user, allows_non_existing_user=allows_non_existing_user)
def auth(self, userobj, username, password, settings, **kwargs):
if not userobj:
log.debug('userobj was:%s skipping', userobj)
return None
if userobj.extern_type != self.name:
log.warning(
"userobj:%s extern_type mismatch got:`%s` expected:`%s`",
userobj, userobj.extern_type, self.name)
return None
login_restriction = settings.get('login_restriction', '')
if login_restriction == self.LOGIN_RESTRICTION_SUPER_ADMIN and userobj.admin is False:
log.info(
"userobj:%s is not super-admin and login restriction is set to %s",
userobj, login_restriction)
return None
user_attrs = {
"username": userobj.username,
"firstname": userobj.firstname,
"lastname": userobj.lastname,
"groups": [],
'user_group_sync': False,
"email": userobj.email,
"admin": userobj.admin,
"active": userobj.active,
"active_from_extern": userobj.active,
"extern_name": userobj.user_id,
"extern_type": userobj.extern_type,
}
log.debug("User attributes:%s", user_attrs)
if userobj.active:
from rhodecode.lib import auth
crypto_backend = auth.crypto_backend()
password_encoded = safe_str(password)
password_match, new_hash = crypto_backend.hash_check_with_upgrade(
password_encoded, userobj.password or '')
if password_match and new_hash:
log.debug('user %s properly authenticated, but '
'requires hash change to bcrypt', userobj)
# if password match, and we use OLD deprecated hash,
# we should migrate this user hash password to the new hash
# we store the new returned by hash_check_with_upgrade function
user_attrs['_hash_migrate'] = new_hash
if userobj.username == User.DEFAULT_USER and userobj.active:
log.info('user `%s` authenticated correctly as anonymous user',
userobj.username)
return user_attrs
elif userobj.username == username and password_match:
log.info('user `%s` authenticated correctly', userobj.username)
return user_attrs
log.warn("user `%s` used a wrong password when "
"authenticating on this plugin", userobj.username)
return None
else:
log.warning(
'user `%s` failed to authenticate via %s, reason: account not '
'active.', username, self.name)
return None
class RhodeCodeSettingsSchema(AuthnPluginSettingsSchemaBase):
login_restriction_choices = [
(RhodeCodeAuthPlugin.LOGIN_RESTRICTION_NONE, 'All users'),
(RhodeCodeAuthPlugin.LOGIN_RESTRICTION_SUPER_ADMIN, 'Super admins only')
]
login_restriction = colander.SchemaNode(
colander.String(),
default=login_restriction_choices[0],
description=_('Choose login restrition for users.'),
title=_('Login restriction'),
validator=colander.OneOf([x[0] for x in login_restriction_choices]),
widget='select_with_labels',
choices=login_restriction_choices
)
def includeme(config):
plugin_id = 'egg:rhodecode-enterprise-ce#{}'.format(RhodeCodeAuthPlugin.uid)
plugin_factory(plugin_id).includeme(config)