author | Aurelien Campeas <aurelien.campeas@logilab.fr> |
Tue, 04 May 2010 11:09:18 +0200 | |
branch | stable |
changeset 5459 | 6e561796804c |
parent 5426 | 0d4853a6e5ee |
child 5992 | 5f9a9086c171 |
permissions | -rw-r--r-- |
5421
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
1 |
# copyright 2003-2010 LOGILAB S.A. (Paris, FRANCE), all rights reserved. |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
2 |
# contact http://www.logilab.fr/ -- mailto:contact@logilab.fr |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
3 |
# |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
4 |
# This file is part of CubicWeb. |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
5 |
# |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
6 |
# CubicWeb is free software: you can redistribute it and/or modify it under the |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
7 |
# terms of the GNU Lesser General Public License as published by the Free |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
8 |
# Software Foundation, either version 2.1 of the License, or (at your option) |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
9 |
# any later version. |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
10 |
# |
5424
8ecbcbff9777
replace logilab-common by CubicWeb in disclaimer
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5421
diff
changeset
|
11 |
# CubicWeb is distributed in the hope that it will be useful, but WITHOUT |
5421
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
12 |
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
13 |
# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
14 |
# details. |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
15 |
# |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
16 |
# You should have received a copy of the GNU Lesser General Public License along |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
17 |
# with CubicWeb. If not, see <http://www.gnu.org/licenses/>. |
0 | 18 |
"""user authentication component |
19 |
||
20 |
""" |
|
5251
b675edd05c19
[web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5223
diff
changeset
|
21 |
from __future__ import with_statement |
b675edd05c19
[web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5223
diff
changeset
|
22 |
|
0 | 23 |
__docformat__ = "restructuredtext en" |
24 |
||
5251
b675edd05c19
[web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5223
diff
changeset
|
25 |
from threading import Lock |
b675edd05c19
[web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5223
diff
changeset
|
26 |
|
0 | 27 |
from logilab.common.decorators import clear_cache |
28 |
||
29 |
from cubicweb import AuthenticationError, BadConnectionId |
|
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
30 |
from cubicweb.view import Component |
0 | 31 |
from cubicweb.dbapi import repo_connect, ConnectionProperties |
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
32 |
from cubicweb.web import InvalidSession |
0 | 33 |
from cubicweb.web.application import AbstractAuthenticationManager |
1668 | 34 |
|
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
35 |
class NoAuthInfo(Exception): pass |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
36 |
|
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
37 |
|
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
38 |
class WebAuthInfoRetreiver(Component): |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
39 |
__registry__ = 'webauth' |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
40 |
order = None |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
41 |
|
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
42 |
def authentication_information(self, req): |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
43 |
"""retreive authentication information from the given request, raise |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
44 |
NoAuthInfo if expected information is not found. |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
45 |
""" |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
46 |
raise NotImplementedError() |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
47 |
|
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
48 |
def authenticated(self, retreiver, req, cnx, login, authinfo): |
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
49 |
"""callback when return authentication information have opened a |
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
50 |
repository connection successfully. Take care req has no session |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
51 |
attached yet, hence req.execute isn't available. |
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
52 |
""" |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
53 |
pass |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
54 |
|
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
55 |
|
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
56 |
class LoginPasswordRetreiver(WebAuthInfoRetreiver): |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
57 |
__regid__ = 'loginpwdauth' |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
58 |
order = 10 |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
59 |
|
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
60 |
def authentication_information(self, req): |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
61 |
"""retreive authentication information from the given request, raise |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
62 |
NoAuthInfo if expected information is not found. |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
63 |
""" |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
64 |
login, password = req.get_authorization() |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
65 |
if not login: |
4910
f40fddaa79ad
[web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4856
diff
changeset
|
66 |
raise NoAuthInfo() |
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
67 |
return login, {'password': password} |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
68 |
|
0 | 69 |
|
70 |
class RepositoryAuthenticationManager(AbstractAuthenticationManager): |
|
71 |
"""authenticate user associated to a request and check session validity""" |
|
1668 | 72 |
|
2887
1282dc6525c5
give vreg where we need it (eg no bound request)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2267
diff
changeset
|
73 |
def __init__(self, vreg): |
1282dc6525c5
give vreg where we need it (eg no bound request)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2267
diff
changeset
|
74 |
super(RepositoryAuthenticationManager, self).__init__(vreg) |
1282dc6525c5
give vreg where we need it (eg no bound request)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2267
diff
changeset
|
75 |
self.repo = vreg.config.repository(vreg) |
1282dc6525c5
give vreg where we need it (eg no bound request)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2267
diff
changeset
|
76 |
self.log_queries = vreg.config['query-log-file'] |
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
77 |
self.authinforetreivers = sorted(vreg['webauth'].possible_objects(vreg), |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
78 |
key=lambda x: x.order) |
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
79 |
# 2-uple login / password, login is None when no anonymous access |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
80 |
# configured |
4910
f40fddaa79ad
[web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4856
diff
changeset
|
81 |
self.anoninfo = vreg.config.anonymous_user() |
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
82 |
if self.anoninfo[0]: |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
83 |
self.anoninfo = (self.anoninfo[0], {'password': self.anoninfo[1]}) |
0 | 84 |
|
85 |
def validate_session(self, req, session): |
|
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
86 |
"""check session validity, reconnecting it to the repository if the |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
87 |
associated connection expired in the repository side (hence the |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
88 |
necessity for this method). Return the connected user on success. |
0 | 89 |
|
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
90 |
raise :exc:`InvalidSession` if session is corrupted for a reason or |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
91 |
another and should be closed |
0 | 92 |
""" |
93 |
# with this authentication manager, session is actually a dbapi |
|
94 |
# connection |
|
95 |
login = req.get_authorization()[0] |
|
5251
b675edd05c19
[web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5223
diff
changeset
|
96 |
# check session.login and not user.login, since in case of login by |
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
97 |
# email, login and cnx.login are the email while user.login is the |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
98 |
# actual user login |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
99 |
if login and session.login != login: |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
100 |
raise InvalidSession('login mismatch') |
0 | 101 |
try: |
5251
b675edd05c19
[web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5223
diff
changeset
|
102 |
lock = session.reconnection_lock |
b675edd05c19
[web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5223
diff
changeset
|
103 |
except AttributeError: |
b675edd05c19
[web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5223
diff
changeset
|
104 |
lock = session.reconnection_lock = Lock() |
b675edd05c19
[web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5223
diff
changeset
|
105 |
# need to be locked two avoid duplicated reconnections on concurrent |
b675edd05c19
[web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5223
diff
changeset
|
106 |
# requests |
b675edd05c19
[web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5223
diff
changeset
|
107 |
with lock: |
b675edd05c19
[web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5223
diff
changeset
|
108 |
cnx = session.cnx |
b675edd05c19
[web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5223
diff
changeset
|
109 |
try: |
b675edd05c19
[web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5223
diff
changeset
|
110 |
# calling cnx.user() check connection validity, raise |
b675edd05c19
[web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5223
diff
changeset
|
111 |
# BadConnectionId on failure |
0 | 112 |
user = cnx.user(req) |
5251
b675edd05c19
[web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5223
diff
changeset
|
113 |
except BadConnectionId: |
b675edd05c19
[web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5223
diff
changeset
|
114 |
# check if a connection should be automatically restablished |
b675edd05c19
[web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5223
diff
changeset
|
115 |
if (login is None or login == session.login): |
b675edd05c19
[web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5223
diff
changeset
|
116 |
cnx = self._authenticate(session.login, session.authinfo) |
b675edd05c19
[web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5223
diff
changeset
|
117 |
user = cnx.user(req) |
b675edd05c19
[web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5223
diff
changeset
|
118 |
session.cnx = cnx |
b675edd05c19
[web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5223
diff
changeset
|
119 |
else: |
b675edd05c19
[web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5223
diff
changeset
|
120 |
raise InvalidSession('bad connection id') |
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
121 |
return user |
1488
6da89a703c5a
add ability to login with a primary email address - no tests for now are unittest_application.py are now broken
Florent <florent@secondweb.fr>
parents:
0
diff
changeset
|
122 |
|
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
123 |
def authenticate(self, req): |
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
124 |
"""authenticate user using connection information found in the request, |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
125 |
and return corresponding a :class:`~cubicweb.dbapi.Connection` instance, |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
126 |
as well as login and authentication information dictionary used to open |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
127 |
the connection. |
1488
6da89a703c5a
add ability to login with a primary email address - no tests for now are unittest_application.py are now broken
Florent <florent@secondweb.fr>
parents:
0
diff
changeset
|
128 |
|
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
129 |
raise :exc:`cubicweb.AuthenticationError` if authentication failed |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
130 |
(no authentication info found or wrong user/password) |
0 | 131 |
""" |
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
132 |
for retreiver in self.authinforetreivers: |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
133 |
try: |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
134 |
login, authinfo = retreiver.authentication_information(req) |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
135 |
except NoAuthInfo: |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
136 |
continue |
4855
e69b2f2f2d61
when some authentication plugin fail, we may try another one
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4252
diff
changeset
|
137 |
try: |
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
138 |
cnx = self._authenticate(login, authinfo) |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
139 |
except AuthenticationError: |
4855
e69b2f2f2d61
when some authentication plugin fail, we may try another one
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4252
diff
changeset
|
140 |
continue # the next one may succeed |
4910
f40fddaa79ad
[web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4856
diff
changeset
|
141 |
for retreiver_ in self.authinforetreivers: |
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
142 |
retreiver_.authenticated(retreiver, req, cnx, login, authinfo) |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
143 |
return cnx, login, authinfo |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
144 |
# false if no authentication info found, eg this is not an |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
145 |
# authentication failure |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
146 |
if 'login' in locals(): |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
147 |
req.set_message(req._('authentication failure')) |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
148 |
login, authinfo = self.anoninfo |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
149 |
if login: |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
150 |
cnx = self._authenticate(login, authinfo) |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
151 |
cnx.anonymous_connection = True |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
152 |
return cnx, login, authinfo |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
153 |
raise AuthenticationError() |
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
154 |
|
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
155 |
def _authenticate(self, login, authinfo): |
0 | 156 |
cnxprops = ConnectionProperties(self.vreg.config.repo_method, |
157 |
close=False, log=self.log_queries) |
|
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
158 |
cnx = repo_connect(self.repo, login, cnxprops=cnxprops, **authinfo) |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
159 |
# decorate connection |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
160 |
cnx.vreg = self.vreg |
0 | 161 |
return cnx |
162 |