|
|
# -*- coding: utf-8 -*-
|
|
|
# This program is free software: you can redistribute it and/or modify
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
# (at your option) any later version.
|
|
|
#
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
# GNU General Public License for more details.
|
|
|
#
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
"""
|
|
|
Authentication modules
|
|
|
"""
|
|
|
|
|
|
import logging
|
|
|
import traceback
|
|
|
|
|
|
from rhodecode.lib.compat import importlib
|
|
|
from rhodecode.lib.utils2 import str2bool
|
|
|
from rhodecode.lib.compat import formatted_json, hybrid_property
|
|
|
from rhodecode.lib.auth import PasswordGenerator
|
|
|
from rhodecode.model.user import UserModel
|
|
|
from rhodecode.model.db import RhodeCodeSetting, User, UserGroup
|
|
|
from rhodecode.model.meta import Session
|
|
|
from rhodecode.model.user_group import UserGroupModel
|
|
|
|
|
|
log = logging.getLogger(__name__)
|
|
|
|
|
|
|
|
|
class LazyFormencode(object):
|
|
|
def __init__(self, formencode_obj, *args, **kwargs):
|
|
|
self.formencode_obj = formencode_obj
|
|
|
self.args = args
|
|
|
self.kwargs = kwargs
|
|
|
|
|
|
def __call__(self, *args, **kwargs):
|
|
|
from inspect import isfunction
|
|
|
formencode_obj = self.formencode_obj
|
|
|
if isfunction(formencode_obj):
|
|
|
#case we wrap validators into functions
|
|
|
formencode_obj = self.formencode_obj(*args, **kwargs)
|
|
|
return formencode_obj(*self.args, **self.kwargs)
|
|
|
|
|
|
|
|
|
class RhodeCodeAuthPluginBase(object):
|
|
|
auth_func_attrs = {
|
|
|
"username": "unique username",
|
|
|
"firstname": "first name",
|
|
|
"lastname": "last name",
|
|
|
"email": "email address",
|
|
|
"groups": '["list", "of", "groups"]',
|
|
|
"extern_name": "name in external source of record",
|
|
|
"extern_type": "type of external source of record",
|
|
|
"admin": 'True|False defines if user should be RhodeCode super admin',
|
|
|
"active": 'True|False defines active state of user internally for RhodeCode',
|
|
|
"active_from_extern": "True|False\None, active state from the external auth, "
|
|
|
"None means use definition from RhodeCode extern_type active value"
|
|
|
}
|
|
|
|
|
|
@property
|
|
|
def validators(self):
|
|
|
"""
|
|
|
Exposes RhodeCode validators modules
|
|
|
"""
|
|
|
# this is a hack to overcome issues with pylons threadlocals and
|
|
|
# translator object _() not beein registered properly.
|
|
|
class LazyCaller(object):
|
|
|
def __init__(self, name):
|
|
|
self.validator_name = name
|
|
|
|
|
|
def __call__(self, *args, **kwargs):
|
|
|
from rhodecode.model import validators as v
|
|
|
obj = getattr(v, self.validator_name)
|
|
|
#log.debug('Initializing lazy formencode object: %s' % obj)
|
|
|
return LazyFormencode(obj, *args, **kwargs)
|
|
|
|
|
|
|
|
|
class ProxyGet(object):
|
|
|
def __getattribute__(self, name):
|
|
|
return LazyCaller(name)
|
|
|
|
|
|
return ProxyGet()
|
|
|
|
|
|
@hybrid_property
|
|
|
def name(self):
|
|
|
"""
|
|
|
Returns the name of this authentication plugin.
|
|
|
|
|
|
:returns: string
|
|
|
"""
|
|
|
raise NotImplementedError("Not implemented in base class")
|
|
|
|
|
|
@hybrid_property
|
|
|
def is_container_auth(self):
|
|
|
"""
|
|
|
Returns bool if this module uses container auth.
|
|
|
|
|
|
This property will trigger an automatic call to authenticate on
|
|
|
a visit to the website or during a push/pull.
|
|
|
|
|
|
:returns: bool
|
|
|
"""
|
|
|
return False
|
|
|
|
|
|
def accepts(self, user, accepts_empty=True):
|
|
|
"""
|
|
|
Checks if this authentication module should accept a request for
|
|
|
the current user.
|
|
|
|
|
|
:param user: user object fetched using plugin's get_user() method.
|
|
|
:param accepts_empty: if True accepts don't allow the user to be empty
|
|
|
:returns: boolean
|
|
|
"""
|
|
|
plugin_name = self.name
|
|
|
if not user and not accepts_empty:
|
|
|
log.debug('User is empty not allowed to authenticate')
|
|
|
return False
|
|
|
|
|
|
if user and user.extern_type and user.extern_type != plugin_name:
|
|
|
log.debug('User %s should authenticate using %s this is %s, skipping'
|
|
|
% (user, user.extern_type, plugin_name))
|
|
|
|
|
|
return False
|
|
|
return True
|
|
|
|
|
|
def get_user(self, username=None, **kwargs):
|
|
|
"""
|
|
|
Helper method for user fetching in plugins, by default it's using
|
|
|
simple fetch by username, but this method can be custimized in plugins
|
|
|
eg. container auth plugin to fetch user by environ params
|
|
|
|
|
|
:param username: username if given to fetch from database
|
|
|
:param kwargs: extra arguments needed for user fetching.
|
|
|
"""
|
|
|
user = None
|
|
|
log.debug('Trying to fetch user `%s` from RhodeCode database'
|
|
|
% (username))
|
|
|
if username:
|
|
|
user = User.get_by_username(username)
|
|
|
if not user:
|
|
|
log.debug('Fallback to fetch user in case insensitive mode')
|
|
|
user = User.get_by_username(username, case_insensitive=True)
|
|
|
else:
|
|
|
log.debug('provided username:`%s` is empty skipping...' % username)
|
|
|
return user
|
|
|
|
|
|
def settings(self):
|
|
|
"""
|
|
|
Return a list of the form:
|
|
|
[
|
|
|
{
|
|
|
"name": "OPTION_NAME",
|
|
|
"type": "[bool|password|string|int|select]",
|
|
|
["values": ["opt1", "opt2", ...]]
|
|
|
"validator": "expr"
|
|
|
"description": "A short description of the option" [,
|
|
|
"default": Default Value],
|
|
|
["formname": "Friendly Name for Forms"]
|
|
|
} [, ...]
|
|
|
]
|
|
|
|
|
|
This is used to interrogate the authentication plugin as to what
|
|
|
settings it expects to be present and configured.
|
|
|
|
|
|
'type' is a shorthand notation for what kind of value this option is.
|
|
|
This is primarily used by the auth web form to control how the option
|
|
|
is configured.
|
|
|
bool : checkbox
|
|
|
password : password input box
|
|
|
string : input box
|
|
|
select : single select dropdown
|
|
|
|
|
|
'validator' is an lazy instantiated form field validator object, ala
|
|
|
formencode. You need to *call* this object to init the validators.
|
|
|
All calls to RhodeCode validators should be used through self.validators
|
|
|
which is a lazy loading proxy of formencode module.
|
|
|
"""
|
|
|
raise NotImplementedError("Not implemented in base class")
|
|
|
|
|
|
def plugin_settings(self):
|
|
|
"""
|
|
|
This method is called by the authentication framework, not the .settings()
|
|
|
method. This method adds a few default settings (e.g., "active"), so that
|
|
|
plugin authors don't have to maintain a bunch of boilerplate.
|
|
|
|
|
|
OVERRIDING THIS METHOD WILL CAUSE YOUR PLUGIN TO FAIL.
|
|
|
"""
|
|
|
|
|
|
rcsettings = self.settings()
|
|
|
rcsettings.insert(0, {
|
|
|
"name": "enabled",
|
|
|
"validator": self.validators.StringBoolean(if_missing=False),
|
|
|
"type": "bool",
|
|
|
"description": "Enable or Disable this Authentication Plugin",
|
|
|
"formname": "Enabled"
|
|
|
}
|
|
|
)
|
|
|
return rcsettings
|
|
|
|
|
|
def user_activation_state(self):
|
|
|
"""
|
|
|
Defines user activation state when creating new users
|
|
|
|
|
|
:returns: boolean
|
|
|
"""
|
|
|
raise NotImplementedError("Not implemented in base class")
|
|
|
|
|
|
def auth(self, userobj, username, passwd, settings, **kwargs):
|
|
|
"""
|
|
|
Given a user object (which may be null), username, a plaintext password,
|
|
|
and a settings object (containing all the keys needed as listed in settings()),
|
|
|
authenticate this user's login attempt.
|
|
|
|
|
|
Return None on failure. On success, return a dictionary of the form:
|
|
|
|
|
|
see: RhodeCodeAuthPluginBase.auth_func_attrs
|
|
|
This is later validated for correctness
|
|
|
"""
|
|
|
raise NotImplementedError("not implemented in base class")
|
|
|
|
|
|
def _authenticate(self, userobj, username, passwd, settings, **kwargs):
|
|
|
"""
|
|
|
Wrapper to call self.auth() that validates call on it
|
|
|
|
|
|
:param userobj: userobj
|
|
|
:param username: username
|
|
|
:param passwd: plaintext password
|
|
|
:param settings: plugin settings
|
|
|
"""
|
|
|
auth = self.auth(userobj, username, passwd, settings, **kwargs)
|
|
|
if auth:
|
|
|
return self._validate_auth_return(auth)
|
|
|
return auth
|
|
|
|
|
|
def _validate_auth_return(self, ret):
|
|
|
if not isinstance(ret, dict):
|
|
|
raise Exception('returned value from auth must be a dict')
|
|
|
for k in self.auth_func_attrs:
|
|
|
if k not in ret:
|
|
|
raise Exception('Missing %s attribute from returned data' % k)
|
|
|
return ret
|
|
|
|
|
|
|
|
|
class RhodeCodeExternalAuthPlugin(RhodeCodeAuthPluginBase):
|
|
|
def use_fake_password(self):
|
|
|
"""
|
|
|
Return a boolean that indicates whether or not we should set the user's
|
|
|
password to a random value when it is authenticated by this plugin.
|
|
|
If your plugin provides authentication, then you will generally want this.
|
|
|
|
|
|
:returns: boolean
|
|
|
"""
|
|
|
raise NotImplementedError("Not implemented in base class")
|
|
|
|
|
|
def _authenticate(self, userobj, username, passwd, settings, **kwargs):
|
|
|
auth = super(RhodeCodeExternalAuthPlugin, self)._authenticate(
|
|
|
userobj, username, passwd, settings, **kwargs)
|
|
|
if auth:
|
|
|
# maybe plugin will clean the username ?
|
|
|
# we should use the return value
|
|
|
username = auth['username']
|
|
|
# if user is not active from our extern type we should fail to authe
|
|
|
# this can prevent from creating users in RhodeCode when using
|
|
|
# external authentication, but if it's inactive user we shouldn't
|
|
|
# create that user anyway
|
|
|
if auth['active_from_extern'] is False:
|
|
|
log.warning("User %s authenticated against %s, but is inactive"
|
|
|
% (username, self.__module__))
|
|
|
return None
|
|
|
|
|
|
if self.use_fake_password():
|
|
|
# Randomize the PW because we don't need it, but don't want
|
|
|
# them blank either
|
|
|
passwd = PasswordGenerator().gen_password(length=8)
|
|
|
|
|
|
log.debug('Updating or creating user info from %s plugin'
|
|
|
% self.name)
|
|
|
user = UserModel().create_or_update(
|
|
|
username=username,
|
|
|
password=passwd,
|
|
|
email=auth["email"],
|
|
|
firstname=auth["firstname"],
|
|
|
lastname=auth["lastname"],
|
|
|
active=auth["active"],
|
|
|
admin=auth["admin"],
|
|
|
extern_name=auth["extern_name"],
|
|
|
extern_type=self.name
|
|
|
)
|
|
|
Session().flush()
|
|
|
# enforce user is just in given groups, all of them has to be ones
|
|
|
# created from plugins. We store this info in _group_data JSON field
|
|
|
try:
|
|
|
groups = auth['groups'] or []
|
|
|
UserGroupModel().enforce_groups(user, groups, self.name)
|
|
|
except Exception:
|
|
|
# for any reason group syncing fails, we should proceed with login
|
|
|
log.error(traceback.format_exc())
|
|
|
Session().commit()
|
|
|
return auth
|
|
|
|
|
|
|
|
|
def importplugin(plugin):
|
|
|
"""
|
|
|
Imports and returns the authentication plugin in the module named by plugin
|
|
|
(e.g., plugin='rhodecode.lib.auth_modules.auth_rhodecode'). Returns the
|
|
|
RhodeCodeAuthPluginBase subclass on success, raises exceptions on failure.
|
|
|
|
|
|
raises:
|
|
|
AttributeError -- no RhodeCodeAuthPlugin class in the module
|
|
|
TypeError -- if the RhodeCodeAuthPlugin is not a subclass of ours RhodeCodeAuthPluginBase
|
|
|
ImportError -- if we couldn't import the plugin at all
|
|
|
"""
|
|
|
log.debug("Importing %s" % plugin)
|
|
|
PLUGIN_CLASS_NAME = "RhodeCodeAuthPlugin"
|
|
|
try:
|
|
|
module = importlib.import_module(plugin)
|
|
|
except (ImportError, TypeError):
|
|
|
log.error(traceback.format_exc())
|
|
|
# TODO: make this more error prone, if by some accident we screw up
|
|
|
# the plugin name, the crash is preatty bad and hard to recover
|
|
|
raise
|
|
|
|
|
|
log.debug("Loaded auth plugin from %s (module:%s, file:%s)"
|
|
|
% (plugin, module.__name__, module.__file__))
|
|
|
|
|
|
pluginclass = getattr(module, PLUGIN_CLASS_NAME)
|
|
|
if not issubclass(pluginclass, RhodeCodeAuthPluginBase):
|
|
|
raise TypeError("Authentication class %s.RhodeCodeAuthPlugin is not "
|
|
|
"a subclass of %s" % (plugin, RhodeCodeAuthPluginBase))
|
|
|
return pluginclass
|
|
|
|
|
|
|
|
|
def loadplugin(plugin):
|
|
|
"""
|
|
|
Loads and returns an instantiated authentication plugin.
|
|
|
|
|
|
see: importplugin
|
|
|
"""
|
|
|
plugin = importplugin(plugin)()
|
|
|
if plugin.plugin_settings.im_func != RhodeCodeAuthPluginBase.plugin_settings.im_func:
|
|
|
raise TypeError("Authentication class %s.RhodeCodeAuthPluginBase "
|
|
|
"has overriden the plugin_settings method, which is "
|
|
|
"forbidden." % plugin)
|
|
|
return plugin
|
|
|
|
|
|
|
|
|
def authenticate(username, password, environ=None):
|
|
|
"""
|
|
|
Authentication function used for access control,
|
|
|
It tries to authenticate based on enabled authentication modules.
|
|
|
|
|
|
:param username: username can be empty for container auth
|
|
|
:param password: password can be empty for container auth
|
|
|
:param environ: environ headers passed for container auth
|
|
|
:returns: None if auth failed, plugin_user dict if auth is correct
|
|
|
"""
|
|
|
|
|
|
auth_plugins = RhodeCodeSetting.get_auth_plugins()
|
|
|
log.debug('Authentication against %s plugins' % (auth_plugins,))
|
|
|
for module in auth_plugins:
|
|
|
try:
|
|
|
plugin = loadplugin(module)
|
|
|
except (ImportError, AttributeError, TypeError), e:
|
|
|
raise ImportError('Failed to load authentication module %s : %s'
|
|
|
% (module, str(e)))
|
|
|
log.debug('Trying authentication using ** %s **' % (module,))
|
|
|
# load plugin settings from RhodeCode database
|
|
|
plugin_name = plugin.name
|
|
|
plugin_settings = {}
|
|
|
for v in plugin.plugin_settings():
|
|
|
conf_key = "auth_%s_%s" % (plugin_name, v["name"])
|
|
|
setting = RhodeCodeSetting.get_by_name(conf_key)
|
|
|
plugin_settings[v["name"]] = setting.app_settings_value if setting else None
|
|
|
log.debug('Plugin settings \n%s' % formatted_json(plugin_settings))
|
|
|
|
|
|
if not str2bool(plugin_settings["enabled"]):
|
|
|
log.info("Authentication plugin %s is disabled, skipping for %s"
|
|
|
% (module, username))
|
|
|
continue
|
|
|
|
|
|
# use plugin's method of user extraction.
|
|
|
user = plugin.get_user(username, environ=environ,
|
|
|
settings=plugin_settings)
|
|
|
log.debug('Plugin %s extracted user is `%s`' % (module, user))
|
|
|
if not plugin.accepts(user):
|
|
|
log.debug('Plugin %s does not accept user `%s` for authentication'
|
|
|
% (module, user))
|
|
|
continue
|
|
|
else:
|
|
|
log.debug('Plugin %s accepted user `%s` for authentication'
|
|
|
% (module, user))
|
|
|
|
|
|
log.info('Authenticating user using %s plugin' % plugin.__module__)
|
|
|
# _authenticate is a wrapper for .auth() method of plugin.
|
|
|
# it checks if .auth() sends proper data. for RhodeCodeExternalAuthPlugin
|
|
|
# it also maps users to Database and maps the attributes returned
|
|
|
# from .auth() to RhodeCode database. If this function returns data
|
|
|
# then auth is correct.
|
|
|
plugin_user = plugin._authenticate(user, username, password,
|
|
|
plugin_settings,
|
|
|
environ=environ or {})
|
|
|
log.debug('PLUGIN USER DATA: %s' % plugin_user)
|
|
|
|
|
|
if plugin_user:
|
|
|
log.debug('Plugin returned proper authentication data')
|
|
|
return plugin_user
|
|
|
|
|
|
# we failed to Auth because .auth() method didn't return proper the user
|
|
|
log.warning("User `%s` failed to authenticate against %s"
|
|
|
% (username, plugin.__module__))
|
|
|
return None
|
|
|
|
