cubicweb: web/views/authentication.py@8167de96c523 (annotated)

5421 8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5417 diff changeset	1	# copyright 2003-2010 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5417 diff changeset	2	# contact http://www.logilab.fr/ -- mailto:contact@logilab.fr
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5417 diff changeset	3	#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5417 diff changeset	4	# This file is part of CubicWeb.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5417 diff changeset	5	#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5417 diff changeset	6	# CubicWeb is free software: you can redistribute it and/or modify it under the
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5417 diff changeset	7	# terms of the GNU Lesser General Public License as published by the Free
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5417 diff changeset	8	# Software Foundation, either version 2.1 of the License, or (at your option)
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5417 diff changeset	9	# any later version.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5417 diff changeset	10	#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5417 diff changeset	11	# logilab-common is distributed in the hope that it will be useful, but WITHOUT
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5417 diff changeset	12	# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5417 diff changeset	13	# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5417 diff changeset	14	# details.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5417 diff changeset	15	#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5417 diff changeset	16	# You should have received a copy of the GNU Lesser General Public License along
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5417 diff changeset	17	# with CubicWeb. If not, see <http://www.gnu.org/licenses/>.
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	18	"""user authentication component
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	19
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	20	"""
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	21	__docformat__ = "restructuredtext en"
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	22
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	23	from logilab.common.decorators import clear_cache
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	24
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	25	from cubicweb import AuthenticationError, BadConnectionId
3658 d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	26	from cubicweb.view import Component
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	27	from cubicweb.dbapi import repo_connect, ConnectionProperties
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	28	from cubicweb.web import ExplicitLogin, InvalidSession
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	29	from cubicweb.web.application import AbstractAuthenticationManager
1668 d2ac1d681d70 delete-trailing-whitespaces sylvain.thenault@logilab.fr parents: 1490 diff changeset	30
3658 d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	31	class NoAuthInfo(Exception): pass
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	32
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	33
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	34	class WebAuthInfoRetreiver(Component):
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	35	__registry__ = 'webauth'
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	36	order = None
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	37
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	38	def authentication_information(self, req):
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	39	"""retreive authentication information from the given request, raise
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	40	NoAuthInfo if expected information is not found.
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	41	"""
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	42	raise NotImplementedError()
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	43
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	44	def authenticated(self, req, cnx, retreiver):
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	45	"""callback when return authentication information have opened a
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	46	repository connection successfully
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	47	"""
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	48	pass
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	49
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	50
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	51	class LoginPasswordRetreiver(WebAuthInfoRetreiver):
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	52	__regid__ = 'loginpwdauth'
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	53	order = 10
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	54
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	55	def authentication_information(self, req):
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	56	"""retreive authentication information from the given request, raise
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	57	NoAuthInfo if expected information is not found.
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	58	"""
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	59	login, password = req.get_authorization()
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	60	if not login:
4910 f40fddaa79ad [web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4856 diff changeset	61	raise NoAuthInfo()
3658 d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	62	return login, {'password': password}
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	63
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	64
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	65	class RepositoryAuthenticationManager(AbstractAuthenticationManager):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	66	"""authenticate user associated to a request and check session validity"""
1668 d2ac1d681d70 delete-trailing-whitespaces sylvain.thenault@logilab.fr parents: 1490 diff changeset	67
2887 1282dc6525c5 give vreg where we need it (eg no bound request) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2267 diff changeset	68	def __init__(self, vreg):
1282dc6525c5 give vreg where we need it (eg no bound request) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2267 diff changeset	69	super(RepositoryAuthenticationManager, self).__init__(vreg)
1282dc6525c5 give vreg where we need it (eg no bound request) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2267 diff changeset	70	self.repo = vreg.config.repository(vreg)
1282dc6525c5 give vreg where we need it (eg no bound request) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2267 diff changeset	71	self.log_queries = vreg.config['query-log-file']
3658 d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	72	self.authinforetreivers = sorted(vreg['webauth'].possible_objects(vreg),
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	73	key=lambda x: x.order)
4910 f40fddaa79ad [web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4856 diff changeset	74	self.anoninfo = vreg.config.anonymous_user()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	75
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	76	def validate_session(self, req, session):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	77	"""check session validity, and return eventually hijacked session
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	78
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	79	:raise InvalidSession:
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	80	if session is corrupted for a reason or another and should be closed
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	81	"""
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	82	# with this authentication manager, session is actually a dbapi
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	83	# connection
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	84	cnx = session
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	85	login = req.get_authorization()[0]
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	86	try:
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	87	# calling cnx.user() check connection validity, raise
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	88	# BadConnectionId on failure
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	89	user = cnx.user(req)
2267 e1d2df3f1091 move login by email functionnality on the repository side to avoid buggy call to internal_session from the web interface side Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 1977 diff changeset	90	# check cnx.login and not user.login, since in case of login by
e1d2df3f1091 move login by email functionnality on the repository side to avoid buggy call to internal_session from the web interface side Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 1977 diff changeset	91	# email, login and cnx.login are the email while user.login is the
e1d2df3f1091 move login by email functionnality on the repository side to avoid buggy call to internal_session from the web interface side Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 1977 diff changeset	92	# actual user login
e1d2df3f1091 move login by email functionnality on the repository side to avoid buggy call to internal_session from the web interface side Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 1977 diff changeset	93	if login and cnx.login != login:
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	94	cnx.close()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	95	raise InvalidSession('login mismatch')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	96	except BadConnectionId:
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	97	# check if a connection should be automatically restablished
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	98	if (login is None or login == cnx.login):
3658 d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	99	cnx = self._authenticate(req, cnx.login, cnx.authinfo)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	100	user = cnx.user(req)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	101	# backport session's data
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	102	cnx.data = session.data
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	103	else:
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	104	raise InvalidSession('bad connection id')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	105	# associate the connection to the current request
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	106	req.set_connection(cnx, user)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	107	return cnx
1488 6da89a703c5a add ability to login with a primary email address - no tests for now are unittest_application.py are now broken Florent <florent@secondweb.fr> parents: 0 diff changeset	108
3658 d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	109	def authenticate(self, req):
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	110	"""authenticate user and return corresponding user object
1488 6da89a703c5a add ability to login with a primary email address - no tests for now are unittest_application.py are now broken Florent <florent@secondweb.fr> parents: 0 diff changeset	111
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	112	:raise ExplicitLogin: if authentication is required (no authentication
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	113	info found or wrong user/password)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	114
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	115	Note: this method is violating AuthenticationManager interface by
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	116	returning a session instance instead of the user. This is expected by
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	117	the InMemoryRepositorySessionManager.
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	118	"""
3658 d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	119	for retreiver in self.authinforetreivers:
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	120	try:
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	121	login, authinfo = retreiver.authentication_information(req)
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	122	except NoAuthInfo:
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	123	continue
4855 e69b2f2f2d61 when some authentication plugin fail, we may try another one Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4252 diff changeset	124	try:
e69b2f2f2d61 when some authentication plugin fail, we may try another one Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4252 diff changeset	125	cnx = self._authenticate(req, login, authinfo)
e69b2f2f2d61 when some authentication plugin fail, we may try another one Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4252 diff changeset	126	except ExplicitLogin:
e69b2f2f2d61 when some authentication plugin fail, we may try another one Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4252 diff changeset	127	continue # the next one may succeed
4910 f40fddaa79ad [web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4856 diff changeset	128	for retreiver_ in self.authinforetreivers:
f40fddaa79ad [web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4856 diff changeset	129	retreiver_.authenticated(req, cnx, retreiver)
f40fddaa79ad [web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4856 diff changeset	130	break
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	131	else:
4910 f40fddaa79ad [web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4856 diff changeset	132	# false if no authentication info found, eg this is not an
f40fddaa79ad [web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4856 diff changeset	133	# authentication failure
f40fddaa79ad [web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4856 diff changeset	134	if 'login' in locals():
f40fddaa79ad [web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4856 diff changeset	135	req.set_message(req._('authentication failure'))
f40fddaa79ad [web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4856 diff changeset	136	cnx = self._open_anonymous_connection(req)
3658 d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	137	return cnx
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	138
d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	139	def _authenticate(self, req, login, authinfo):
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	140	cnxprops = ConnectionProperties(self.vreg.config.repo_method,
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	141	close=False, log=self.log_queries)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	142	try:
3658 d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	143	cnx = repo_connect(self.repo, login, cnxprops=cnxprops, **authinfo)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	144	except AuthenticationError:
4910 f40fddaa79ad [web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4856 diff changeset	145	raise ExplicitLogin()
f40fddaa79ad [web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4856 diff changeset	146	self._init_cnx(cnx, login, authinfo)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	147	# associate the connection to the current request
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	148	req.set_connection(cnx)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	149	return cnx
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	150
4910 f40fddaa79ad [web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4856 diff changeset	151	def _open_anonymous_connection(self, req):
f40fddaa79ad [web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4856 diff changeset	152	# restore an anonymous connection if possible
f40fddaa79ad [web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4856 diff changeset	153	login, password = self.anoninfo
f40fddaa79ad [web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4856 diff changeset	154	if login:
4916 4b8cdda342ae fix tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4910 diff changeset	155	cnx = self._authenticate(req, login, {'password': password})
4b8cdda342ae fix tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4910 diff changeset	156	cnx.anonymous_connection = True
4b8cdda342ae fix tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4910 diff changeset	157	return cnx
4910 f40fddaa79ad [web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4856 diff changeset	158	raise ExplicitLogin()
f40fddaa79ad [web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4856 diff changeset	159
3658 d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	160	def _init_cnx(self, cnx, login, authinfo):
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	161	# decorate connection
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	162	cnx.vreg = self.vreg
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	163	cnx.login = login
3658 d8f2ec7e91fa pluggable authentication information retreiver Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3647 diff changeset	164	cnx.authinfo = authinfo
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	165

author	Sylvain Thénault <sylvain.thenault@logilab.fr>
	Wed, 28 Apr 2010 10:06:01 +0200
branch	stable
changeset 5421	8167de96c523
parent 5417	55ff79dad1a6
child 5423	e15abfdcce38
child 5424	8ecbcbff9777
permissions	-rw-r--r--