##// END OF EJS Templates
Merged in liads/rhodecode (pull request #14)
marcink -
r1623:b7094c69 merge beta
parent child Browse files
Show More
1 NO CONTENT: modified file chmod 100755 => 100644
NO CONTENT: modified file chmod 100755 => 100644
@@ -53,6 +53,8 cut_off_limit = 256000
53 force_https = false
53 force_https = false
54 commit_parse_limit = 50
54 commit_parse_limit = 50
55 use_gravatar = true
55 use_gravatar = true
56 container_auth_enabled = false
57 proxypass_auth_enabled = false
56
58
57 ####################################
59 ####################################
58 ### CELERY CONFIG ####
60 ### CELERY CONFIG ####
@@ -223,6 +223,43 def authenticate(username, password):
223 pass
223 pass
224 return False
224 return False
225
225
226 def login_container_auth(username):
227 user = User.get_by_username(username)
228 if user is None:
229 user_model = UserModel()
230 user_attrs = {
231 'name': username,
232 'lastname': None,
233 'email': None,
234 }
235 if not user_model.create_for_container_auth(username, user_attrs):
236 return None
237 user = User.get_by_username(username)
238 log.info('User %s was created by container authentication', username)
239
240 if not user.active:
241 return None
242
243 user.update_lastlogin()
244 log.debug('User %s is now logged in by container authentication', user.username)
245 return user
246
247 def get_container_username(environ, cfg=config):
248 from paste.httpheaders import REMOTE_USER
249 from paste.deploy.converters import asbool
250
251 username = REMOTE_USER(environ)
252
253 if not username and asbool(cfg.get('proxypass_auth_enabled', False)):
254 username = environ.get('HTTP_X_FORWARDED_USER')
255
256 if username:
257 #Removing realm and domain from username
258 username = username.partition('@')[0]
259 username = username.rpartition('\\')[2]
260 log.debug('Received username %s from container', username)
261
262 return username
226
263
227 class AuthUser(object):
264 class AuthUser(object):
228 """
265 """
@@ -234,12 +271,12 class AuthUser(object):
234 in
271 in
235 """
272 """
236
273
237 def __init__(self, user_id=None, api_key=None):
274 def __init__(self, user_id=None, api_key=None, username=None):
238
275
239 self.user_id = user_id
276 self.user_id = user_id
240 self.api_key = None
277 self.api_key = None
241
278 self.username = username
242 self.username = 'None'
279
243 self.name = ''
280 self.name = ''
244 self.lastname = ''
281 self.lastname = ''
245 self.email = ''
282 self.email = ''
@@ -252,23 +289,37 class AuthUser(object):
252 def propagate_data(self):
289 def propagate_data(self):
253 user_model = UserModel()
290 user_model = UserModel()
254 self.anonymous_user = User.get_by_username('default')
291 self.anonymous_user = User.get_by_username('default')
292 is_user_loaded = False
255 if self._api_key and self._api_key != self.anonymous_user.api_key:
293 if self._api_key and self._api_key != self.anonymous_user.api_key:
256 #try go get user by api key
294 #try go get user by api key
257 log.debug('Auth User lookup by API KEY %s', self._api_key)
295 log.debug('Auth User lookup by API KEY %s', self._api_key)
258 user_model.fill_data(self, api_key=self._api_key)
296 is_user_loaded = user_model.fill_data(self, api_key=self._api_key)
259 else:
297 elif self.user_id is not None \
298 and self.user_id != self.anonymous_user.user_id:
260 log.debug('Auth User lookup by USER ID %s', self.user_id)
299 log.debug('Auth User lookup by USER ID %s', self.user_id)
261 if self.user_id is not None \
300 is_user_loaded = user_model.fill_data(self, user_id=self.user_id)
262 and self.user_id != self.anonymous_user.user_id:
301 elif self.username:
263 user_model.fill_data(self, user_id=self.user_id)
302 log.debug('Auth User lookup by USER NAME %s', self.username)
303 dbuser = login_container_auth(self.username)
304 if dbuser is not None:
305 for k, v in dbuser.get_dict().items():
306 setattr(self, k, v)
307 self.set_authenticated()
308 is_user_loaded = True
309
310 if not is_user_loaded:
311 if self.anonymous_user.active is True:
312 user_model.fill_data(self,
313 user_id=self.anonymous_user.user_id)
314 #then we set this user is logged in
315 self.is_authenticated = True
264 else:
316 else:
265 if self.anonymous_user.active is True:
317 self.user_id = None
266 user_model.fill_data(self,
318 self.username = None
267 user_id=self.anonymous_user.user_id)
319 self.is_authenticated = False
268 #then we set this user is logged in
320
269 self.is_authenticated = True
321 if not self.username:
270 else:
322 self.username = 'None'
271 self.is_authenticated = False
272
323
273 log.debug('Auth User is now %s', self)
324 log.debug('Auth User is now %s', self)
274 user_model.fill_perms(self)
325 user_model.fill_perms(self)
@@ -8,9 +8,10 from pylons import config, tmpl_context
8 from pylons.controllers import WSGIController
8 from pylons.controllers import WSGIController
9 from pylons.controllers.util import redirect
9 from pylons.controllers.util import redirect
10 from pylons.templating import render_mako as render
10 from pylons.templating import render_mako as render
11 from paste.deploy.converters import asbool
11
12
12 from rhodecode import __version__
13 from rhodecode import __version__
13 from rhodecode.lib.auth import AuthUser
14 from rhodecode.lib.auth import AuthUser, get_container_username
14 from rhodecode.lib.utils import get_repo_slug
15 from rhodecode.lib.utils import get_repo_slug
15 from rhodecode.model import meta
16 from rhodecode.model import meta
16 from rhodecode.model.scm import ScmModel
17 from rhodecode.model.scm import ScmModel
@@ -44,8 +45,15 class BaseController(WSGIController):
44 # putting this here makes sure that we update permissions each time
45 # putting this here makes sure that we update permissions each time
45 api_key = request.GET.get('api_key')
46 api_key = request.GET.get('api_key')
46 user_id = getattr(session.get('rhodecode_user'), 'user_id', None)
47 user_id = getattr(session.get('rhodecode_user'), 'user_id', None)
47 self.rhodecode_user = c.rhodecode_user = AuthUser(user_id, api_key)
48 if asbool(config.get('container_auth_enabled', False)):
48 self.rhodecode_user.set_authenticated(
49 username = get_container_username(environ)
50 else:
51 username = None
52
53 self.rhodecode_user = c.rhodecode_user = AuthUser(user_id, api_key, username)
54 if not self.rhodecode_user.is_authenticated and \
55 self.rhodecode_user.user_id is not None:
56 self.rhodecode_user.set_authenticated(
49 getattr(session.get('rhodecode_user'),
57 getattr(session.get('rhodecode_user'),
50 'is_authenticated', False))
58 'is_authenticated', False))
51 session['rhodecode_user'] = self.rhodecode_user
59 session['rhodecode_user'] = self.rhodecode_user
@@ -455,7 +455,8 HasRepoPermissionAny, HasRepoPermissionA
455
455
456 def gravatar_url(email_address, size=30):
456 def gravatar_url(email_address, size=30):
457 if not str2bool(config['app_conf'].get('use_gravatar')) or \
457 if not str2bool(config['app_conf'].get('use_gravatar')) or \
458 email_address == 'anonymous@rhodecode.org':
458 not email_address or \
459 email_address == 'anonymous@rhodecode.org':
459 return url("/images/user%s.png" % size)
460 return url("/images/user%s.png" % size)
460
461
461 ssl_enabled = 'https' == request.environ.get('wsgi.url_scheme')
462 ssl_enabled = 'https' == request.environ.get('wsgi.url_scheme')
@@ -70,7 +70,7 from paste.auth.basic import AuthBasicAu
70 from paste.httpheaders import REMOTE_USER, AUTH_TYPE
70 from paste.httpheaders import REMOTE_USER, AUTH_TYPE
71
71
72 from rhodecode.lib import safe_str
72 from rhodecode.lib import safe_str
73 from rhodecode.lib.auth import authfunc, HasPermissionAnyMiddleware
73 from rhodecode.lib.auth import authfunc, HasPermissionAnyMiddleware, get_container_username
74 from rhodecode.lib.utils import invalidate_cache, is_valid_repo
74 from rhodecode.lib.utils import invalidate_cache, is_valid_repo
75 from rhodecode.model.db import User
75 from rhodecode.model.db import User
76
76
@@ -148,7 +148,7 class SimpleGit(object):
148 # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS
148 # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS
149 #==============================================================
149 #==============================================================
150
150
151 if not REMOTE_USER(environ):
151 if not get_container_username(environ, self.config):
152 self.authenticate.realm = \
152 self.authenticate.realm = \
153 safe_str(self.config['rhodecode_realm'])
153 safe_str(self.config['rhodecode_realm'])
154 result = self.authenticate(environ)
154 result = self.authenticate(environ)
@@ -164,10 +164,10 class SimpleGit(object):
164 #==============================================================
164 #==============================================================
165
165
166 if action in ['pull', 'push']:
166 if action in ['pull', 'push']:
167 username = REMOTE_USER(environ)
167 username = get_container_username(environ, self.config)
168 try:
168 try:
169 user = self.__get_user(username)
169 user = self.__get_user(username)
170 if user is None:
170 if user is None or not user.active:
171 return HTTPForbidden()(environ, start_response)
171 return HTTPForbidden()(environ, start_response)
172 username = user.username
172 username = user.username
173 except:
173 except:
@@ -35,7 +35,7 from paste.auth.basic import AuthBasicAu
35 from paste.httpheaders import REMOTE_USER, AUTH_TYPE
35 from paste.httpheaders import REMOTE_USER, AUTH_TYPE
36
36
37 from rhodecode.lib import safe_str
37 from rhodecode.lib import safe_str
38 from rhodecode.lib.auth import authfunc, HasPermissionAnyMiddleware
38 from rhodecode.lib.auth import authfunc, HasPermissionAnyMiddleware, get_container_username
39 from rhodecode.lib.utils import make_ui, invalidate_cache, \
39 from rhodecode.lib.utils import make_ui, invalidate_cache, \
40 is_valid_repo, ui_sections
40 is_valid_repo, ui_sections
41 from rhodecode.model.db import User
41 from rhodecode.model.db import User
@@ -114,7 +114,7 class SimpleHg(object):
114 # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS
114 # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS
115 #==============================================================
115 #==============================================================
116
116
117 if not REMOTE_USER(environ):
117 if not get_container_username(environ, self.config):
118 self.authenticate.realm = \
118 self.authenticate.realm = \
119 safe_str(self.config['rhodecode_realm'])
119 safe_str(self.config['rhodecode_realm'])
120 result = self.authenticate(environ)
120 result = self.authenticate(environ)
@@ -130,10 +130,10 class SimpleHg(object):
130 #==============================================================
130 #==============================================================
131
131
132 if action in ['pull', 'push']:
132 if action in ['pull', 'push']:
133 username = REMOTE_USER(environ)
133 username = get_container_username(environ, self.config)
134 try:
134 try:
135 user = self.__get_user(username)
135 user = self.__get_user(username)
136 if user is None:
136 if user is None or not user.active:
137 return HTTPForbidden()(environ, start_response)
137 return HTTPForbidden()(environ, start_response)
138 username = user.username
138 username = user.username
139 except:
139 except:
1 NO CONTENT: modified file chmod 100755 => 100644
NO CONTENT: modified file chmod 100755 => 100644
@@ -92,6 +92,35 class UserModel(BaseModel):
92 self.sa.rollback()
92 self.sa.rollback()
93 raise
93 raise
94
94
95 def create_for_container_auth(self, username, attrs):
96 """
97 Creates the given user if it's not already in the database
98
99 :param username:
100 :param attrs:
101 """
102 if self.get_by_username(username, case_insensitive=True) is None:
103 try:
104 new_user = User()
105 new_user.username = username
106 new_user.password = None
107 new_user.api_key = generate_api_key(username)
108 new_user.email = attrs['email']
109 new_user.active = True
110 new_user.name = attrs['name']
111 new_user.lastname = attrs['lastname']
112
113 self.sa.add(new_user)
114 self.sa.commit()
115 return True
116 except (DatabaseError,):
117 log.error(traceback.format_exc())
118 self.sa.rollback()
119 raise
120 log.debug('User %s already exists. Skipping creation of account for container auth.',
121 username)
122 return False
123
95 def create_ldap(self, username, password, user_dn, attrs):
124 def create_ldap(self, username, password, user_dn, attrs):
96 """
125 """
97 Checks if user is in database, if not creates this user marked
126 Checks if user is in database, if not creates this user marked
@@ -243,16 +272,19 class UserModel(BaseModel):
243 else:
272 else:
244 dbuser = self.get(user_id)
273 dbuser = self.get(user_id)
245
274
246 if dbuser is not None:
275 if dbuser is not None and dbuser.active:
247 log.debug('filling %s data', dbuser)
276 log.debug('filling %s data', dbuser)
248 for k, v in dbuser.get_dict().items():
277 for k, v in dbuser.get_dict().items():
249 setattr(auth_user, k, v)
278 setattr(auth_user, k, v)
279 else:
280 return False
250
281
251 except:
282 except:
252 log.error(traceback.format_exc())
283 log.error(traceback.format_exc())
253 auth_user.is_authenticated = False
284 auth_user.is_authenticated = False
285 return False
254
286
255 return auth_user
287 return True
256
288
257 def fill_perms(self, user):
289 def fill_perms(self, user):
258 """
290 """
1 NO CONTENT: modified file chmod 100755 => 100644
NO CONTENT: modified file chmod 100755 => 100644
General Comments 0
You need to be logged in to leave comments. Login now