author | Sylvain Thénault <sylvain.thenault@logilab.fr> |
Fri, 29 May 2009 14:43:58 +0200 | |
changeset 2006 | 78d5b57d4964 |
parent 1977 | 606923dff11b |
child 2267 | e1d2df3f1091 |
permissions | -rw-r--r-- |
0 | 1 |
"""user authentication component |
2 |
||
3 |
:organization: Logilab |
|
1977
606923dff11b
big bunch of copyright / docstring update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1690
diff
changeset
|
4 |
:copyright: 2001-2009 LOGILAB S.A. (Paris, FRANCE), license is LGPL v2. |
0 | 5 |
:contact: http://www.logilab.fr/ -- mailto:contact@logilab.fr |
1977
606923dff11b
big bunch of copyright / docstring update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1690
diff
changeset
|
6 |
:license: GNU Lesser General Public License, v2.1 - http://www.gnu.org/licenses |
0 | 7 |
""" |
8 |
__docformat__ = "restructuredtext en" |
|
9 |
||
10 |
from logilab.common.decorators import clear_cache |
|
11 |
||
12 |
from cubicweb import AuthenticationError, BadConnectionId |
|
13 |
from cubicweb.dbapi import repo_connect, ConnectionProperties |
|
14 |
from cubicweb.web import ExplicitLogin, InvalidSession |
|
15 |
from cubicweb.web.application import AbstractAuthenticationManager |
|
1668 | 16 |
|
0 | 17 |
|
18 |
class RepositoryAuthenticationManager(AbstractAuthenticationManager): |
|
19 |
"""authenticate user associated to a request and check session validity""" |
|
1668 | 20 |
|
0 | 21 |
def __init__(self): |
22 |
self.repo = self.config.repository(self.vreg) |
|
23 |
self.log_queries = self.config['query-log-file'] |
|
24 |
||
25 |
def validate_session(self, req, session): |
|
26 |
"""check session validity, and return eventually hijacked session |
|
27 |
||
28 |
:raise InvalidSession: |
|
29 |
if session is corrupted for a reason or another and should be closed |
|
30 |
""" |
|
31 |
# with this authentication manager, session is actually a dbapi |
|
32 |
# connection |
|
33 |
cnx = session |
|
34 |
login = req.get_authorization()[0] |
|
35 |
try: |
|
36 |
# calling cnx.user() check connection validity, raise |
|
37 |
# BadConnectionId on failure |
|
38 |
user = cnx.user(req) |
|
39 |
if login and user.login != login: |
|
40 |
cnx.close() |
|
41 |
raise InvalidSession('login mismatch') |
|
42 |
except BadConnectionId: |
|
43 |
# check if a connection should be automatically restablished |
|
44 |
if (login is None or login == cnx.login): |
|
45 |
login, password = cnx.login, cnx.password |
|
46 |
cnx = self.authenticate(req, login, password) |
|
47 |
user = cnx.user(req) |
|
48 |
# backport session's data |
|
49 |
cnx.data = session.data |
|
50 |
else: |
|
51 |
raise InvalidSession('bad connection id') |
|
52 |
# associate the connection to the current request |
|
53 |
req.set_connection(cnx, user) |
|
54 |
return cnx |
|
1488
6da89a703c5a
add ability to login with a primary email address - no tests for now are unittest_application.py are now broken
Florent <florent@secondweb.fr>
parents:
0
diff
changeset
|
55 |
|
6da89a703c5a
add ability to login with a primary email address - no tests for now are unittest_application.py are now broken
Florent <florent@secondweb.fr>
parents:
0
diff
changeset
|
56 |
def login_from_email(self, login): |
1664
03ebeccf9f1d
add XXX before 2 calls to self.repo.internal_session() on the web interface side
Florent <florent@secondweb.fr>
parents:
1663
diff
changeset
|
57 |
# XXX should not be called from web interface |
1488
6da89a703c5a
add ability to login with a primary email address - no tests for now are unittest_application.py are now broken
Florent <florent@secondweb.fr>
parents:
0
diff
changeset
|
58 |
session = self.repo.internal_session() |
1663
89efe0e744cf
close internal session in login_from_email
Florent <florent@secondweb.fr>
parents:
1490
diff
changeset
|
59 |
try: |
89efe0e744cf
close internal session in login_from_email
Florent <florent@secondweb.fr>
parents:
1490
diff
changeset
|
60 |
rset = session.execute('Any L WHERE U login L, U primary_email M, ' |
89efe0e744cf
close internal session in login_from_email
Florent <florent@secondweb.fr>
parents:
1490
diff
changeset
|
61 |
'M address %(login)s', {'login': login}) |
89efe0e744cf
close internal session in login_from_email
Florent <florent@secondweb.fr>
parents:
1490
diff
changeset
|
62 |
if rset.rowcount == 1: |
89efe0e744cf
close internal session in login_from_email
Florent <florent@secondweb.fr>
parents:
1490
diff
changeset
|
63 |
login = rset[0][0] |
89efe0e744cf
close internal session in login_from_email
Florent <florent@secondweb.fr>
parents:
1490
diff
changeset
|
64 |
finally: |
89efe0e744cf
close internal session in login_from_email
Florent <florent@secondweb.fr>
parents:
1490
diff
changeset
|
65 |
session.close() |
1488
6da89a703c5a
add ability to login with a primary email address - no tests for now are unittest_application.py are now broken
Florent <florent@secondweb.fr>
parents:
0
diff
changeset
|
66 |
return login |
6da89a703c5a
add ability to login with a primary email address - no tests for now are unittest_application.py are now broken
Florent <florent@secondweb.fr>
parents:
0
diff
changeset
|
67 |
|
0 | 68 |
def authenticate(self, req, _login=None, _password=None): |
69 |
"""authenticate user and return corresponding user object |
|
1488
6da89a703c5a
add ability to login with a primary email address - no tests for now are unittest_application.py are now broken
Florent <florent@secondweb.fr>
parents:
0
diff
changeset
|
70 |
|
0 | 71 |
:raise ExplicitLogin: if authentication is required (no authentication |
72 |
info found or wrong user/password) |
|
73 |
||
74 |
Note: this method is violating AuthenticationManager interface by |
|
75 |
returning a session instance instead of the user. This is expected by |
|
76 |
the InMemoryRepositorySessionManager. |
|
77 |
""" |
|
78 |
if _login is not None: |
|
79 |
login, password = _login, _password |
|
80 |
else: |
|
81 |
login, password = req.get_authorization() |
|
1490
6b024694d493
add allow-email-login option
Florent <florent@secondweb.fr>
parents:
1488
diff
changeset
|
82 |
if self.vreg.config['allow-email-login'] and '@' in (login or u''): |
1488
6da89a703c5a
add ability to login with a primary email address - no tests for now are unittest_application.py are now broken
Florent <florent@secondweb.fr>
parents:
0
diff
changeset
|
83 |
login = self.login_from_email(login) |
0 | 84 |
if not login: |
85 |
# No session and no login -> try anonymous |
|
86 |
login, password = self.vreg.config.anonymous_user() |
|
87 |
if not login: # anonymous not authorized |
|
88 |
raise ExplicitLogin() |
|
89 |
# remove possibly cached cursor coming from closed connection |
|
90 |
clear_cache(req, 'cursor') |
|
91 |
cnxprops = ConnectionProperties(self.vreg.config.repo_method, |
|
92 |
close=False, log=self.log_queries) |
|
93 |
try: |
|
94 |
cnx = repo_connect(self.repo, login, password, cnxprops=cnxprops) |
|
95 |
except AuthenticationError: |
|
96 |
req.set_message(req._('authentication failure')) |
|
97 |
# restore an anonymous connection if possible |
|
98 |
anonlogin, anonpassword = self.vreg.config.anonymous_user() |
|
99 |
if anonlogin and anonlogin != login: |
|
100 |
cnx = repo_connect(self.repo, anonlogin, anonpassword, |
|
101 |
cnxprops=cnxprops) |
|
102 |
self._init_cnx(cnx, anonlogin, anonpassword) |
|
103 |
else: |
|
104 |
raise ExplicitLogin() |
|
105 |
else: |
|
106 |
self._init_cnx(cnx, login, password) |
|
107 |
# associate the connection to the current request |
|
108 |
req.set_connection(cnx) |
|
109 |
return cnx |
|
110 |
||
111 |
def _init_cnx(self, cnx, login, password): |
|
112 |
# decorate connection |
|
113 |
if login == self.vreg.config.anonymous_user()[0]: |
|
114 |
cnx.anonymous_connection = True |
|
115 |
cnx.vreg = self.vreg |
|
116 |
cnx.login = login |
|
117 |
cnx.password = password |
|
118 |