author | David Douard <david.douard@logilab.fr> |
Thu, 17 Jan 2013 14:55:07 +0100 | |
changeset 8751 | 1a97d46701e7 |
parent 8694 | d901c36bcfce |
child 9032 | 629a8d49d6f5 |
child 9175 | a7412e884d7b |
permissions | -rw-r--r-- |
8544
3d049071957e
massive copyright update to avoid clutering later patches
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7908
diff
changeset
|
1 |
# copyright 2003-2012 LOGILAB S.A. (Paris, FRANCE), all rights reserved. |
5421
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
2 |
# contact http://www.logilab.fr/ -- mailto:contact@logilab.fr |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
3 |
# |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
4 |
# This file is part of CubicWeb. |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
5 |
# |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
6 |
# CubicWeb is free software: you can redistribute it and/or modify it under the |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
7 |
# terms of the GNU Lesser General Public License as published by the Free |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
8 |
# Software Foundation, either version 2.1 of the License, or (at your option) |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
9 |
# any later version. |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
10 |
# |
5424
8ecbcbff9777
replace logilab-common by CubicWeb in disclaimer
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5421
diff
changeset
|
11 |
# CubicWeb is distributed in the hope that it will be useful, but WITHOUT |
5421
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
12 |
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
13 |
# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
14 |
# details. |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
15 |
# |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
16 |
# You should have received a copy of the GNU Lesser General Public License along |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
17 |
# with CubicWeb. If not, see <http://www.gnu.org/licenses/>. |
5992 | 18 |
"""user authentication component""" |
0 | 19 |
|
20 |
__docformat__ = "restructuredtext en" |
|
21 |
||
5251
b675edd05c19
[web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5223
diff
changeset
|
22 |
from threading import Lock |
b675edd05c19
[web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5223
diff
changeset
|
23 |
|
0 | 24 |
from logilab.common.decorators import clear_cache |
25 |
||
26 |
from cubicweb import AuthenticationError, BadConnectionId |
|
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
27 |
from cubicweb.view import Component |
8673
8ea63a2cc2cc
[db-api] rename repo_connect into _repo_connect to mark it private. Closes #2521848
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8669
diff
changeset
|
28 |
from cubicweb.dbapi import _repo_connect, ConnectionProperties |
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
29 |
from cubicweb.web import InvalidSession |
0 | 30 |
from cubicweb.web.application import AbstractAuthenticationManager |
1668 | 31 |
|
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
32 |
class NoAuthInfo(Exception): pass |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
33 |
|
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
34 |
|
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
35 |
class WebAuthInfoRetreiver(Component): |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
36 |
__registry__ = 'webauth' |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
37 |
order = None |
6389
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
38 |
__abstract__ = True |
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
39 |
|
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
40 |
def authentication_information(self, req): |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
41 |
"""retreive authentication information from the given request, raise |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
42 |
NoAuthInfo if expected information is not found. |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
43 |
""" |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
44 |
raise NotImplementedError() |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
45 |
|
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
46 |
def authenticated(self, retreiver, req, cnx, login, authinfo): |
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
47 |
"""callback when return authentication information have opened a |
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
48 |
repository connection successfully. Take care req has no session |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
49 |
attached yet, hence req.execute isn't available. |
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
50 |
""" |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
51 |
pass |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
52 |
|
6389
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
53 |
def request_has_auth_info(self, req): |
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
54 |
"""tells from the request if it has enough information |
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
55 |
to proceed to authentication, would the current session |
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
56 |
be invalidated |
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
57 |
""" |
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
58 |
raise NotImplementedError() |
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
59 |
|
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
60 |
def revalidate_login(self, req): |
6435
71b2a3fe7ba1
backport stable
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
6418
diff
changeset
|
61 |
"""returns a login string or None, for repository session validation |
71b2a3fe7ba1
backport stable
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
6418
diff
changeset
|
62 |
purposes |
6389
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
63 |
""" |
6391
e330ead0804b
[authentication] force retriever implementor to think about it
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6389
diff
changeset
|
64 |
raise NotImplementedError() |
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
65 |
|
7908
faec7589f742
[web auth] closes #1981680: authentication info retriever should be given a chance to cleanup data
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
6848
diff
changeset
|
66 |
def cleanup_authentication_information(self, req): |
faec7589f742
[web auth] closes #1981680: authentication info retriever should be given a chance to cleanup data
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
6848
diff
changeset
|
67 |
"""called when the retriever has returned some authentication |
faec7589f742
[web auth] closes #1981680: authentication info retriever should be given a chance to cleanup data
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
6848
diff
changeset
|
68 |
information but we get an authentication error when using them, so it |
faec7589f742
[web auth] closes #1981680: authentication info retriever should be given a chance to cleanup data
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
6848
diff
changeset
|
69 |
get a chance to cleanup things (e.g. remove cookie) |
faec7589f742
[web auth] closes #1981680: authentication info retriever should be given a chance to cleanup data
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
6848
diff
changeset
|
70 |
""" |
faec7589f742
[web auth] closes #1981680: authentication info retriever should be given a chance to cleanup data
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
6848
diff
changeset
|
71 |
pass |
faec7589f742
[web auth] closes #1981680: authentication info retriever should be given a chance to cleanup data
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
6848
diff
changeset
|
72 |
|
faec7589f742
[web auth] closes #1981680: authentication info retriever should be given a chance to cleanup data
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
6848
diff
changeset
|
73 |
|
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
74 |
class LoginPasswordRetreiver(WebAuthInfoRetreiver): |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
75 |
__regid__ = 'loginpwdauth' |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
76 |
order = 10 |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
77 |
|
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
78 |
def authentication_information(self, req): |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
79 |
"""retreive authentication information from the given request, raise |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
80 |
NoAuthInfo if expected information is not found. |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
81 |
""" |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
82 |
login, password = req.get_authorization() |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
83 |
if not login: |
4910
f40fddaa79ad
[web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4856
diff
changeset
|
84 |
raise NoAuthInfo() |
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
85 |
return login, {'password': password} |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
86 |
|
6389
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
87 |
def request_has_auth_info(self, req): |
6418
948a9f8514b2
[views/authentication] fix http auth regression (no message)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6391
diff
changeset
|
88 |
return req.get_authorization()[0] is not None |
6389
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
89 |
|
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
90 |
def revalidate_login(self, req): |
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
91 |
return req.get_authorization()[0] |
0 | 92 |
|
93 |
class RepositoryAuthenticationManager(AbstractAuthenticationManager): |
|
94 |
"""authenticate user associated to a request and check session validity""" |
|
1668 | 95 |
|
2887
1282dc6525c5
give vreg where we need it (eg no bound request)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2267
diff
changeset
|
96 |
def __init__(self, vreg): |
1282dc6525c5
give vreg where we need it (eg no bound request)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2267
diff
changeset
|
97 |
super(RepositoryAuthenticationManager, self).__init__(vreg) |
1282dc6525c5
give vreg where we need it (eg no bound request)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2267
diff
changeset
|
98 |
self.repo = vreg.config.repository(vreg) |
1282dc6525c5
give vreg where we need it (eg no bound request)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2267
diff
changeset
|
99 |
self.log_queries = vreg.config['query-log-file'] |
6389
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
100 |
self.authinforetrievers = sorted(vreg['webauth'].possible_objects(vreg), |
6012
d56fd78006cd
[session] cleanup session-time / cleanup-session-time...
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5992
diff
changeset
|
101 |
key=lambda x: x.order) |
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
102 |
# 2-uple login / password, login is None when no anonymous access |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
103 |
# configured |
4910
f40fddaa79ad
[web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4856
diff
changeset
|
104 |
self.anoninfo = vreg.config.anonymous_user() |
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
105 |
if self.anoninfo[0]: |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
106 |
self.anoninfo = (self.anoninfo[0], {'password': self.anoninfo[1]}) |
0 | 107 |
|
108 |
def validate_session(self, req, session): |
|
6848
f87cd875c6db
[web session] cleanup session/authentication api: we don't have anymore to store authentication information on web session since the auto-reconnection feature has been dropped (eg in 3.10)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
6435
diff
changeset
|
109 |
"""check session validity and return the connected user on success. |
0 | 110 |
|
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
111 |
raise :exc:`InvalidSession` if session is corrupted for a reason or |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
112 |
another and should be closed |
6389
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
113 |
|
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
114 |
also invoked while going from anonymous to logged in |
0 | 115 |
""" |
6389
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
116 |
for retriever in self.authinforetrievers: |
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
117 |
if retriever.request_has_auth_info(req): |
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
118 |
login = retriever.revalidate_login(req) |
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
119 |
return self._validate_session(req, session, login) |
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
120 |
# let's try with the current session |
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
121 |
return self._validate_session(req, session, None) |
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
122 |
|
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
123 |
def _validate_session(self, req, session, login): |
5251
b675edd05c19
[web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5223
diff
changeset
|
124 |
# check session.login and not user.login, since in case of login by |
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
125 |
# email, login and cnx.login are the email while user.login is the |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
126 |
# actual user login |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
127 |
if login and session.login != login: |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
128 |
raise InvalidSession('login mismatch') |
0 | 129 |
try: |
6012
d56fd78006cd
[session] cleanup session-time / cleanup-session-time...
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5992
diff
changeset
|
130 |
# calling cnx.user() check connection validity, raise |
d56fd78006cd
[session] cleanup session-time / cleanup-session-time...
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5992
diff
changeset
|
131 |
# BadConnectionId on failure |
d56fd78006cd
[session] cleanup session-time / cleanup-session-time...
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5992
diff
changeset
|
132 |
user = session.cnx.user(req) |
d56fd78006cd
[session] cleanup session-time / cleanup-session-time...
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5992
diff
changeset
|
133 |
except BadConnectionId: |
d56fd78006cd
[session] cleanup session-time / cleanup-session-time...
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5992
diff
changeset
|
134 |
raise InvalidSession('bad connection id') |
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
135 |
return user |
1488
6da89a703c5a
add ability to login with a primary email address - no tests for now are unittest_application.py are now broken
Florent <florent@secondweb.fr>
parents:
0
diff
changeset
|
136 |
|
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
137 |
def authenticate(self, req): |
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
138 |
"""authenticate user using connection information found in the request, |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
139 |
and return corresponding a :class:`~cubicweb.dbapi.Connection` instance, |
6848
f87cd875c6db
[web session] cleanup session/authentication api: we don't have anymore to store authentication information on web session since the auto-reconnection feature has been dropped (eg in 3.10)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
6435
diff
changeset
|
140 |
as well as login used to open the connection. |
1488
6da89a703c5a
add ability to login with a primary email address - no tests for now are unittest_application.py are now broken
Florent <florent@secondweb.fr>
parents:
0
diff
changeset
|
141 |
|
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
142 |
raise :exc:`cubicweb.AuthenticationError` if authentication failed |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
143 |
(no authentication info found or wrong user/password) |
0 | 144 |
""" |
6389
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
145 |
for retriever in self.authinforetrievers: |
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
146 |
try: |
6389
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
147 |
login, authinfo = retriever.authentication_information(req) |
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
148 |
except NoAuthInfo: |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
149 |
continue |
4855
e69b2f2f2d61
when some authentication plugin fail, we may try another one
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4252
diff
changeset
|
150 |
try: |
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
151 |
cnx = self._authenticate(login, authinfo) |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
152 |
except AuthenticationError: |
7908
faec7589f742
[web auth] closes #1981680: authentication info retriever should be given a chance to cleanup data
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
6848
diff
changeset
|
153 |
retriever.cleanup_authentication_information(req) |
4855
e69b2f2f2d61
when some authentication plugin fail, we may try another one
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4252
diff
changeset
|
154 |
continue # the next one may succeed |
6389
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
155 |
for retriever_ in self.authinforetrievers: |
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
156 |
retriever_.authenticated(retriever, req, cnx, login, authinfo) |
6848
f87cd875c6db
[web session] cleanup session/authentication api: we don't have anymore to store authentication information on web session since the auto-reconnection feature has been dropped (eg in 3.10)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
6435
diff
changeset
|
157 |
return cnx, login |
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
158 |
# false if no authentication info found, eg this is not an |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
159 |
# authentication failure |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
160 |
if 'login' in locals(): |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
161 |
req.set_message(req._('authentication failure')) |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
162 |
login, authinfo = self.anoninfo |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
163 |
if login: |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
164 |
cnx = self._authenticate(login, authinfo) |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
165 |
cnx.anonymous_connection = True |
6848
f87cd875c6db
[web session] cleanup session/authentication api: we don't have anymore to store authentication information on web session since the auto-reconnection feature has been dropped (eg in 3.10)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
6435
diff
changeset
|
166 |
return cnx, login |
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
167 |
raise AuthenticationError() |
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
168 |
|
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
169 |
def _authenticate(self, login, authinfo): |
8669
62213a34726e
[db-api/configuration] simplify db-api and configuration so that all the connection information is in the repository url, closes #2521848
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8544
diff
changeset
|
170 |
cnxprops = ConnectionProperties(close=False, log=self.log_queries) |
8673
8ea63a2cc2cc
[db-api] rename repo_connect into _repo_connect to mark it private. Closes #2521848
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8669
diff
changeset
|
171 |
cnx = _repo_connect(self.repo, login, cnxprops=cnxprops, **authinfo) |
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
172 |
# decorate connection |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
173 |
cnx.vreg = self.vreg |
0 | 174 |
return cnx |
175 |