Show More
1 | NO CONTENT: modified file chmod 100755 => 100644 |
|
NO CONTENT: modified file chmod 100755 => 100644 |
@@ -53,6 +53,8 cut_off_limit = 256000 | |||||
53 | force_https = false |
|
53 | force_https = false | |
54 | commit_parse_limit = 50 |
|
54 | commit_parse_limit = 50 | |
55 | use_gravatar = true |
|
55 | use_gravatar = true | |
|
56 | container_auth_enabled = false | |||
|
57 | proxypass_auth_enabled = false | |||
56 |
|
58 | |||
57 | #################################### |
|
59 | #################################### | |
58 | ### CELERY CONFIG #### |
|
60 | ### CELERY CONFIG #### |
@@ -223,6 +223,43 def authenticate(username, password): | |||||
223 | pass |
|
223 | pass | |
224 | return False |
|
224 | return False | |
225 |
|
225 | |||
|
226 | def login_container_auth(username): | |||
|
227 | user = User.get_by_username(username) | |||
|
228 | if user is None: | |||
|
229 | user_model = UserModel() | |||
|
230 | user_attrs = { | |||
|
231 | 'name': username, | |||
|
232 | 'lastname': None, | |||
|
233 | 'email': None, | |||
|
234 | } | |||
|
235 | if not user_model.create_for_container_auth(username, user_attrs): | |||
|
236 | return None | |||
|
237 | user = User.get_by_username(username) | |||
|
238 | log.info('User %s was created by container authentication', username) | |||
|
239 | ||||
|
240 | if not user.active: | |||
|
241 | return None | |||
|
242 | ||||
|
243 | user.update_lastlogin() | |||
|
244 | log.debug('User %s is now logged in by container authentication', user.username) | |||
|
245 | return user | |||
|
246 | ||||
|
247 | def get_container_username(environ, cfg=config): | |||
|
248 | from paste.httpheaders import REMOTE_USER | |||
|
249 | from paste.deploy.converters import asbool | |||
|
250 | ||||
|
251 | username = REMOTE_USER(environ) | |||
|
252 | ||||
|
253 | if not username and asbool(cfg.get('proxypass_auth_enabled', False)): | |||
|
254 | username = environ.get('HTTP_X_FORWARDED_USER') | |||
|
255 | ||||
|
256 | if username: | |||
|
257 | #Removing realm and domain from username | |||
|
258 | username = username.partition('@')[0] | |||
|
259 | username = username.rpartition('\\')[2] | |||
|
260 | log.debug('Received username %s from container', username) | |||
|
261 | ||||
|
262 | return username | |||
226 |
|
263 | |||
227 | class AuthUser(object): |
|
264 | class AuthUser(object): | |
228 | """ |
|
265 | """ | |
@@ -234,12 +271,12 class AuthUser(object): | |||||
234 | in |
|
271 | in | |
235 | """ |
|
272 | """ | |
236 |
|
273 | |||
237 | def __init__(self, user_id=None, api_key=None): |
|
274 | def __init__(self, user_id=None, api_key=None, username=None): | |
238 |
|
275 | |||
239 | self.user_id = user_id |
|
276 | self.user_id = user_id | |
240 | self.api_key = None |
|
277 | self.api_key = None | |
241 |
|
278 | self.username = username | ||
242 | self.username = 'None' |
|
279 | ||
243 | self.name = '' |
|
280 | self.name = '' | |
244 | self.lastname = '' |
|
281 | self.lastname = '' | |
245 | self.email = '' |
|
282 | self.email = '' | |
@@ -252,23 +289,37 class AuthUser(object): | |||||
252 | def propagate_data(self): |
|
289 | def propagate_data(self): | |
253 | user_model = UserModel() |
|
290 | user_model = UserModel() | |
254 | self.anonymous_user = User.get_by_username('default') |
|
291 | self.anonymous_user = User.get_by_username('default') | |
|
292 | is_user_loaded = False | |||
255 | if self._api_key and self._api_key != self.anonymous_user.api_key: |
|
293 | if self._api_key and self._api_key != self.anonymous_user.api_key: | |
256 | #try go get user by api key |
|
294 | #try go get user by api key | |
257 | log.debug('Auth User lookup by API KEY %s', self._api_key) |
|
295 | log.debug('Auth User lookup by API KEY %s', self._api_key) | |
258 | user_model.fill_data(self, api_key=self._api_key) |
|
296 | is_user_loaded = user_model.fill_data(self, api_key=self._api_key) | |
259 | else: |
|
297 | elif self.user_id is not None \ | |
|
298 | and self.user_id != self.anonymous_user.user_id: | |||
260 | log.debug('Auth User lookup by USER ID %s', self.user_id) |
|
299 | log.debug('Auth User lookup by USER ID %s', self.user_id) | |
261 | if self.user_id is not None \ |
|
300 | is_user_loaded = user_model.fill_data(self, user_id=self.user_id) | |
262 | and self.user_id != self.anonymous_user.user_id: |
|
301 | elif self.username: | |
263 | user_model.fill_data(self, user_id=self.user_id) |
|
302 | log.debug('Auth User lookup by USER NAME %s', self.username) | |
|
303 | dbuser = login_container_auth(self.username) | |||
|
304 | if dbuser is not None: | |||
|
305 | for k, v in dbuser.get_dict().items(): | |||
|
306 | setattr(self, k, v) | |||
|
307 | self.set_authenticated() | |||
|
308 | is_user_loaded = True | |||
|
309 | ||||
|
310 | if not is_user_loaded: | |||
|
311 | if self.anonymous_user.active is True: | |||
|
312 | user_model.fill_data(self, | |||
|
313 | user_id=self.anonymous_user.user_id) | |||
|
314 | #then we set this user is logged in | |||
|
315 | self.is_authenticated = True | |||
264 | else: |
|
316 | else: | |
265 |
|
|
317 | self.user_id = None | |
266 | user_model.fill_data(self, |
|
318 | self.username = None | |
267 | user_id=self.anonymous_user.user_id) |
|
319 | self.is_authenticated = False | |
268 | #then we set this user is logged in |
|
320 | ||
269 | self.is_authenticated = True |
|
321 | if not self.username: | |
270 | else: |
|
322 | self.username = 'None' | |
271 | self.is_authenticated = False |
|
|||
272 |
|
323 | |||
273 | log.debug('Auth User is now %s', self) |
|
324 | log.debug('Auth User is now %s', self) | |
274 | user_model.fill_perms(self) |
|
325 | user_model.fill_perms(self) |
@@ -8,9 +8,10 from pylons import config, tmpl_context | |||||
8 | from pylons.controllers import WSGIController |
|
8 | from pylons.controllers import WSGIController | |
9 | from pylons.controllers.util import redirect |
|
9 | from pylons.controllers.util import redirect | |
10 | from pylons.templating import render_mako as render |
|
10 | from pylons.templating import render_mako as render | |
|
11 | from paste.deploy.converters import asbool | |||
11 |
|
12 | |||
12 | from rhodecode import __version__ |
|
13 | from rhodecode import __version__ | |
13 | from rhodecode.lib.auth import AuthUser |
|
14 | from rhodecode.lib.auth import AuthUser, get_container_username | |
14 | from rhodecode.lib.utils import get_repo_slug |
|
15 | from rhodecode.lib.utils import get_repo_slug | |
15 | from rhodecode.model import meta |
|
16 | from rhodecode.model import meta | |
16 | from rhodecode.model.scm import ScmModel |
|
17 | from rhodecode.model.scm import ScmModel | |
@@ -44,8 +45,15 class BaseController(WSGIController): | |||||
44 | # putting this here makes sure that we update permissions each time |
|
45 | # putting this here makes sure that we update permissions each time | |
45 | api_key = request.GET.get('api_key') |
|
46 | api_key = request.GET.get('api_key') | |
46 | user_id = getattr(session.get('rhodecode_user'), 'user_id', None) |
|
47 | user_id = getattr(session.get('rhodecode_user'), 'user_id', None) | |
47 | self.rhodecode_user = c.rhodecode_user = AuthUser(user_id, api_key) |
|
48 | if asbool(config.get('container_auth_enabled', False)): | |
48 | self.rhodecode_user.set_authenticated( |
|
49 | username = get_container_username(environ) | |
|
50 | else: | |||
|
51 | username = None | |||
|
52 | ||||
|
53 | self.rhodecode_user = c.rhodecode_user = AuthUser(user_id, api_key, username) | |||
|
54 | if not self.rhodecode_user.is_authenticated and \ | |||
|
55 | self.rhodecode_user.user_id is not None: | |||
|
56 | self.rhodecode_user.set_authenticated( | |||
49 | getattr(session.get('rhodecode_user'), |
|
57 | getattr(session.get('rhodecode_user'), | |
50 | 'is_authenticated', False)) |
|
58 | 'is_authenticated', False)) | |
51 | session['rhodecode_user'] = self.rhodecode_user |
|
59 | session['rhodecode_user'] = self.rhodecode_user |
@@ -455,7 +455,8 HasRepoPermissionAny, HasRepoPermissionA | |||||
455 |
|
455 | |||
456 | def gravatar_url(email_address, size=30): |
|
456 | def gravatar_url(email_address, size=30): | |
457 | if not str2bool(config['app_conf'].get('use_gravatar')) or \ |
|
457 | if not str2bool(config['app_conf'].get('use_gravatar')) or \ | |
458 | email_address == 'anonymous@rhodecode.org': |
|
458 | not email_address or \ | |
|
459 | email_address == 'anonymous@rhodecode.org': | |||
459 | return url("/images/user%s.png" % size) |
|
460 | return url("/images/user%s.png" % size) | |
460 |
|
461 | |||
461 | ssl_enabled = 'https' == request.environ.get('wsgi.url_scheme') |
|
462 | ssl_enabled = 'https' == request.environ.get('wsgi.url_scheme') |
@@ -70,7 +70,7 from paste.auth.basic import AuthBasicAu | |||||
70 | from paste.httpheaders import REMOTE_USER, AUTH_TYPE |
|
70 | from paste.httpheaders import REMOTE_USER, AUTH_TYPE | |
71 |
|
71 | |||
72 | from rhodecode.lib import safe_str |
|
72 | from rhodecode.lib import safe_str | |
73 | from rhodecode.lib.auth import authfunc, HasPermissionAnyMiddleware |
|
73 | from rhodecode.lib.auth import authfunc, HasPermissionAnyMiddleware, get_container_username | |
74 | from rhodecode.lib.utils import invalidate_cache, is_valid_repo |
|
74 | from rhodecode.lib.utils import invalidate_cache, is_valid_repo | |
75 | from rhodecode.model.db import User |
|
75 | from rhodecode.model.db import User | |
76 |
|
76 | |||
@@ -148,7 +148,7 class SimpleGit(object): | |||||
148 | # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS |
|
148 | # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS | |
149 | #============================================================== |
|
149 | #============================================================== | |
150 |
|
150 | |||
151 |
if not |
|
151 | if not get_container_username(environ, self.config): | |
152 | self.authenticate.realm = \ |
|
152 | self.authenticate.realm = \ | |
153 | safe_str(self.config['rhodecode_realm']) |
|
153 | safe_str(self.config['rhodecode_realm']) | |
154 | result = self.authenticate(environ) |
|
154 | result = self.authenticate(environ) | |
@@ -164,10 +164,10 class SimpleGit(object): | |||||
164 | #============================================================== |
|
164 | #============================================================== | |
165 |
|
165 | |||
166 | if action in ['pull', 'push']: |
|
166 | if action in ['pull', 'push']: | |
167 |
username = |
|
167 | username = get_container_username(environ, self.config) | |
168 | try: |
|
168 | try: | |
169 | user = self.__get_user(username) |
|
169 | user = self.__get_user(username) | |
170 | if user is None: |
|
170 | if user is None or not user.active: | |
171 | return HTTPForbidden()(environ, start_response) |
|
171 | return HTTPForbidden()(environ, start_response) | |
172 | username = user.username |
|
172 | username = user.username | |
173 | except: |
|
173 | except: |
@@ -35,7 +35,7 from paste.auth.basic import AuthBasicAu | |||||
35 | from paste.httpheaders import REMOTE_USER, AUTH_TYPE |
|
35 | from paste.httpheaders import REMOTE_USER, AUTH_TYPE | |
36 |
|
36 | |||
37 | from rhodecode.lib import safe_str |
|
37 | from rhodecode.lib import safe_str | |
38 | from rhodecode.lib.auth import authfunc, HasPermissionAnyMiddleware |
|
38 | from rhodecode.lib.auth import authfunc, HasPermissionAnyMiddleware, get_container_username | |
39 | from rhodecode.lib.utils import make_ui, invalidate_cache, \ |
|
39 | from rhodecode.lib.utils import make_ui, invalidate_cache, \ | |
40 | is_valid_repo, ui_sections |
|
40 | is_valid_repo, ui_sections | |
41 | from rhodecode.model.db import User |
|
41 | from rhodecode.model.db import User | |
@@ -114,7 +114,7 class SimpleHg(object): | |||||
114 | # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS |
|
114 | # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS | |
115 | #============================================================== |
|
115 | #============================================================== | |
116 |
|
116 | |||
117 |
if not |
|
117 | if not get_container_username(environ, self.config): | |
118 | self.authenticate.realm = \ |
|
118 | self.authenticate.realm = \ | |
119 | safe_str(self.config['rhodecode_realm']) |
|
119 | safe_str(self.config['rhodecode_realm']) | |
120 | result = self.authenticate(environ) |
|
120 | result = self.authenticate(environ) | |
@@ -130,10 +130,10 class SimpleHg(object): | |||||
130 | #============================================================== |
|
130 | #============================================================== | |
131 |
|
131 | |||
132 | if action in ['pull', 'push']: |
|
132 | if action in ['pull', 'push']: | |
133 |
username = |
|
133 | username = get_container_username(environ, self.config) | |
134 | try: |
|
134 | try: | |
135 | user = self.__get_user(username) |
|
135 | user = self.__get_user(username) | |
136 | if user is None: |
|
136 | if user is None or not user.active: | |
137 | return HTTPForbidden()(environ, start_response) |
|
137 | return HTTPForbidden()(environ, start_response) | |
138 | username = user.username |
|
138 | username = user.username | |
139 | except: |
|
139 | except: |
1 | NO CONTENT: modified file chmod 100755 => 100644 |
|
NO CONTENT: modified file chmod 100755 => 100644 |
@@ -92,6 +92,35 class UserModel(BaseModel): | |||||
92 | self.sa.rollback() |
|
92 | self.sa.rollback() | |
93 | raise |
|
93 | raise | |
94 |
|
94 | |||
|
95 | def create_for_container_auth(self, username, attrs): | |||
|
96 | """ | |||
|
97 | Creates the given user if it's not already in the database | |||
|
98 | ||||
|
99 | :param username: | |||
|
100 | :param attrs: | |||
|
101 | """ | |||
|
102 | if self.get_by_username(username, case_insensitive=True) is None: | |||
|
103 | try: | |||
|
104 | new_user = User() | |||
|
105 | new_user.username = username | |||
|
106 | new_user.password = None | |||
|
107 | new_user.api_key = generate_api_key(username) | |||
|
108 | new_user.email = attrs['email'] | |||
|
109 | new_user.active = True | |||
|
110 | new_user.name = attrs['name'] | |||
|
111 | new_user.lastname = attrs['lastname'] | |||
|
112 | ||||
|
113 | self.sa.add(new_user) | |||
|
114 | self.sa.commit() | |||
|
115 | return True | |||
|
116 | except (DatabaseError,): | |||
|
117 | log.error(traceback.format_exc()) | |||
|
118 | self.sa.rollback() | |||
|
119 | raise | |||
|
120 | log.debug('User %s already exists. Skipping creation of account for container auth.', | |||
|
121 | username) | |||
|
122 | return False | |||
|
123 | ||||
95 | def create_ldap(self, username, password, user_dn, attrs): |
|
124 | def create_ldap(self, username, password, user_dn, attrs): | |
96 | """ |
|
125 | """ | |
97 | Checks if user is in database, if not creates this user marked |
|
126 | Checks if user is in database, if not creates this user marked | |
@@ -243,16 +272,19 class UserModel(BaseModel): | |||||
243 | else: |
|
272 | else: | |
244 | dbuser = self.get(user_id) |
|
273 | dbuser = self.get(user_id) | |
245 |
|
274 | |||
246 | if dbuser is not None: |
|
275 | if dbuser is not None and dbuser.active: | |
247 | log.debug('filling %s data', dbuser) |
|
276 | log.debug('filling %s data', dbuser) | |
248 | for k, v in dbuser.get_dict().items(): |
|
277 | for k, v in dbuser.get_dict().items(): | |
249 | setattr(auth_user, k, v) |
|
278 | setattr(auth_user, k, v) | |
|
279 | else: | |||
|
280 | return False | |||
250 |
|
281 | |||
251 | except: |
|
282 | except: | |
252 | log.error(traceback.format_exc()) |
|
283 | log.error(traceback.format_exc()) | |
253 | auth_user.is_authenticated = False |
|
284 | auth_user.is_authenticated = False | |
|
285 | return False | |||
254 |
|
286 | |||
255 |
return |
|
287 | return True | |
256 |
|
288 | |||
257 | def fill_perms(self, user): |
|
289 | def fill_perms(self, user): | |
258 | """ |
|
290 | """ |
1 | NO CONTENT: modified file chmod 100755 => 100644 |
|
NO CONTENT: modified file chmod 100755 => 100644 |
General Comments 0
You need to be logged in to leave comments.
Login now