cubicweb/web/views/authentication.py
author Philippe Pepiot <philippe.pepiot@logilab.fr>
Fri, 28 Apr 2017 09:49:37 +0200
changeset 12183 af5d0a3c3f1a
parent 12046 9056a41d91ba
child 12279 e2953e0de494
permissions -rw-r--r--
[req] fix find() generating non-rewritable rql on non final relations When filtering on a relation, find() was generating rql like 'Any X WHERE X is ETYPE, X relation EID' which work without being rewritten (it should probably not), but when applying some rewrite (eg. permissions) it raise in rqlrewrite code. def _use_orig_term(self, snippet_varname, term): ... > self.rewritten[key] = term.name E AttributeError: 'Constant' object has no attribute 'name' Generate valid rql instead 'Any X WHERE X is ETYPE, X relation Y, Y eid EID'.
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
10331
6f25c7e4f19b [dbapi] remove the dbapi module and its immediate remaining users
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 10042
diff changeset
     1
# copyright 2003-2014 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
5421
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5417
diff changeset
     2
# contact http://www.logilab.fr/ -- mailto:contact@logilab.fr
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5417
diff changeset
     3
#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5417
diff changeset
     4
# This file is part of CubicWeb.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5417
diff changeset
     5
#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5417
diff changeset
     6
# CubicWeb is free software: you can redistribute it and/or modify it under the
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5417
diff changeset
     7
# terms of the GNU Lesser General Public License as published by the Free
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5417
diff changeset
     8
# Software Foundation, either version 2.1 of the License, or (at your option)
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5417
diff changeset
     9
# any later version.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5417
diff changeset
    10
#
5424
8ecbcbff9777 replace logilab-common by CubicWeb in disclaimer
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5421
diff changeset
    11
# CubicWeb is distributed in the hope that it will be useful, but WITHOUT
5421
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5417
diff changeset
    12
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5417
diff changeset
    13
# FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5417
diff changeset
    14
# details.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5417
diff changeset
    15
#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5417
diff changeset
    16
# You should have received a copy of the GNU Lesser General Public License along
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5417
diff changeset
    17
# with CubicWeb.  If not, see <http://www.gnu.org/licenses/>.
5992
5f9a9086c171 cleanup
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5426
diff changeset
    18
"""user authentication component"""
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    19
9175
a7412e884d7b fix typos in docstring, doc and comments
Julien Cristau <julien.cristau@logilab.fr>
parents: 8694
diff changeset
    20
from logilab.common.deprecation import class_renamed
12043
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
    21
from logilab.common.textutils import unormalize
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    22
10564
6b109900583b [web] the AuthenticationManager is no more an appobject
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 10370
diff changeset
    23
from cubicweb import AuthenticationError
12043
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
    24
from cubicweb.utils import make_uid
3658
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    25
from cubicweb.view import Component
5223
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
    26
from cubicweb.web import InvalidSession
12043
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
    27
from cubicweb.server.session import Connection
10370
480187dd66b3 [web] move AbstractAuthManager near its immediate concrete subclass
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 10331
diff changeset
    28
1668
d2ac1d681d70 delete-trailing-whitespaces
sylvain.thenault@logilab.fr
parents: 1490
diff changeset
    29
12046
9056a41d91ba Fix flake8 some errors
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 12043
diff changeset
    30
class NoAuthInfo(Exception):
9056a41d91ba Fix flake8 some errors
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 12043
diff changeset
    31
    pass
3658
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    32
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    33
9175
a7412e884d7b fix typos in docstring, doc and comments
Julien Cristau <julien.cristau@logilab.fr>
parents: 8694
diff changeset
    34
class WebAuthInfoRetriever(Component):
3658
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    35
    __registry__ = 'webauth'
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    36
    order = None
6389
72ba82a26e05 refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 6012
diff changeset
    37
    __abstract__ = True
3658
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    38
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    39
    def authentication_information(self, req):
9175
a7412e884d7b fix typos in docstring, doc and comments
Julien Cristau <julien.cristau@logilab.fr>
parents: 8694
diff changeset
    40
        """retrieve authentication information from the given request, raise
3658
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    41
        NoAuthInfo if expected information is not found.
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    42
        """
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    43
        raise NotImplementedError()
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    44
9883
0a5890491ab3 [web/auth] The auth retriever's authenticated() callback takes a session, not a cnx
Julien Cristau <julien.cristau@logilab.fr>
parents: 9402
diff changeset
    45
    def authenticated(self, retriever, req, session, login, authinfo):
3658
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    46
        """callback when return authentication information have opened a
5223
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
    47
        repository connection successfully. Take care req has no session
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
    48
        attached yet, hence req.execute isn't available.
3658
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    49
        """
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    50
        pass
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    51
6389
72ba82a26e05 refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 6012
diff changeset
    52
    def request_has_auth_info(self, req):
72ba82a26e05 refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 6012
diff changeset
    53
        """tells from the request if it has enough information
72ba82a26e05 refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 6012
diff changeset
    54
        to proceed to authentication, would the current session
72ba82a26e05 refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 6012
diff changeset
    55
        be invalidated
72ba82a26e05 refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 6012
diff changeset
    56
        """
72ba82a26e05 refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 6012
diff changeset
    57
        raise NotImplementedError()
72ba82a26e05 refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 6012
diff changeset
    58
72ba82a26e05 refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 6012
diff changeset
    59
    def revalidate_login(self, req):
6435
71b2a3fe7ba1 backport stable
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 6418
diff changeset
    60
        """returns a login string or None, for repository session validation
71b2a3fe7ba1 backport stable
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 6418
diff changeset
    61
        purposes
6389
72ba82a26e05 refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 6012
diff changeset
    62
        """
6391
e330ead0804b [authentication] force retriever implementor to think about it
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 6389
diff changeset
    63
        raise NotImplementedError()
3658
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    64
7908
faec7589f742 [web auth] closes #1981680: authentication info retriever should be given a chance to cleanup data
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 6848
diff changeset
    65
    def cleanup_authentication_information(self, req):
faec7589f742 [web auth] closes #1981680: authentication info retriever should be given a chance to cleanup data
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 6848
diff changeset
    66
        """called when the retriever has returned some authentication
faec7589f742 [web auth] closes #1981680: authentication info retriever should be given a chance to cleanup data
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 6848
diff changeset
    67
        information but we get an authentication error when using them, so it
9175
a7412e884d7b fix typos in docstring, doc and comments
Julien Cristau <julien.cristau@logilab.fr>
parents: 8694
diff changeset
    68
        get a chance to clean things up (e.g. remove cookie)
7908
faec7589f742 [web auth] closes #1981680: authentication info retriever should be given a chance to cleanup data
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 6848
diff changeset
    69
        """
faec7589f742 [web auth] closes #1981680: authentication info retriever should be given a chance to cleanup data
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 6848
diff changeset
    70
        pass
faec7589f742 [web auth] closes #1981680: authentication info retriever should be given a chance to cleanup data
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 6848
diff changeset
    71
12046
9056a41d91ba Fix flake8 some errors
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 12043
diff changeset
    72
9225
4b81252fccdd [deprecation] add cw version number to the deprecation message and help user to understand the change
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 9175
diff changeset
    73
WebAuthInfoRetreiver = class_renamed(
4b81252fccdd [deprecation] add cw version number to the deprecation message and help user to understand the change
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 9175
diff changeset
    74
    'WebAuthInfoRetreiver', WebAuthInfoRetriever,
4b81252fccdd [deprecation] add cw version number to the deprecation message and help user to understand the change
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 9175
diff changeset
    75
    '[3.17] WebAuthInfoRetreiver had been renamed into WebAuthInfoRetriever '
4b81252fccdd [deprecation] add cw version number to the deprecation message and help user to understand the change
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 9175
diff changeset
    76
    '("ie" instead of "ei")')
7908
faec7589f742 [web auth] closes #1981680: authentication info retriever should be given a chance to cleanup data
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 6848
diff changeset
    77
9175
a7412e884d7b fix typos in docstring, doc and comments
Julien Cristau <julien.cristau@logilab.fr>
parents: 8694
diff changeset
    78
a7412e884d7b fix typos in docstring, doc and comments
Julien Cristau <julien.cristau@logilab.fr>
parents: 8694
diff changeset
    79
class LoginPasswordRetriever(WebAuthInfoRetriever):
3658
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    80
    __regid__ = 'loginpwdauth'
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    81
    order = 10
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    82
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    83
    def authentication_information(self, req):
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    84
        """retreive authentication information from the given request, raise
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    85
        NoAuthInfo if expected information is not found.
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    86
        """
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    87
        login, password = req.get_authorization()
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    88
        if not login:
4910
f40fddaa79ad [web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4856
diff changeset
    89
            raise NoAuthInfo()
3658
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    90
        return login, {'password': password}
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    91
6389
72ba82a26e05 refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 6012
diff changeset
    92
    def request_has_auth_info(self, req):
6418
948a9f8514b2 [views/authentication] fix http auth regression (no message)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 6391
diff changeset
    93
        return req.get_authorization()[0] is not None
6389
72ba82a26e05 refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 6012
diff changeset
    94
72ba82a26e05 refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 6012
diff changeset
    95
    def revalidate_login(self, req):
72ba82a26e05 refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 6012
diff changeset
    96
        return req.get_authorization()[0]
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    97
12046
9056a41d91ba Fix flake8 some errors
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 12043
diff changeset
    98
9225
4b81252fccdd [deprecation] add cw version number to the deprecation message and help user to understand the change
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 9175
diff changeset
    99
LoginPasswordRetreiver = class_renamed(
4b81252fccdd [deprecation] add cw version number to the deprecation message and help user to understand the change
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 9175
diff changeset
   100
    'LoginPasswordRetreiver', LoginPasswordRetriever,
4b81252fccdd [deprecation] add cw version number to the deprecation message and help user to understand the change
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 9175
diff changeset
   101
    '[3.17] LoginPasswordRetreiver had been renamed into LoginPasswordRetriever '
4b81252fccdd [deprecation] add cw version number to the deprecation message and help user to understand the change
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 9175
diff changeset
   102
    '("ie" instead of "ei")')
9175
a7412e884d7b fix typos in docstring, doc and comments
Julien Cristau <julien.cristau@logilab.fr>
parents: 8694
diff changeset
   103
a7412e884d7b fix typos in docstring, doc and comments
Julien Cristau <julien.cristau@logilab.fr>
parents: 8694
diff changeset
   104
12043
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   105
class Session(object):
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   106
    """In-memory user session
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   107
    """
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   108
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   109
    def __init__(self, repo, user):
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   110
        self.user = user  # XXX deprecate and store only a login.
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   111
        self.repo = repo
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   112
        self.sessionid = make_uid(unormalize(user.login))
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   113
        self.data = {}
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   114
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   115
    def __unicode__(self):
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   116
        return '<session %s (0x%x)>' % (unicode(self.user.login), id(self))
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   117
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   118
    @property
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   119
    def anonymous_session(self):
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   120
        # XXX for now, anonymous_user only exists in webconfig (and testconfig).
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   121
        # It will only be present inside all-in-one instance.
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   122
        # there is plan to move it down to global config.
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   123
        if not hasattr(self.repo.config, 'anonymous_user'):
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   124
            # not a web or test config, no anonymous user
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   125
            return False
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   126
        return self.user.login == self.repo.config.anonymous_user()[0]
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   127
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   128
    def new_cnx(self):
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   129
        """Return a new Connection object linked to the session
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   130
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   131
        The returned Connection will *not* be managed by the Session.
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   132
        """
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   133
        cnx = Connection(self.repo, self.user)
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   134
        cnx.session = self
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   135
        return cnx
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   136
10370
480187dd66b3 [web] move AbstractAuthManager near its immediate concrete subclass
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 10331
diff changeset
   137
10564
6b109900583b [web] the AuthenticationManager is no more an appobject
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 10370
diff changeset
   138
class RepositoryAuthenticationManager(object):
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   139
    """authenticate user associated to a request and check session validity"""
1668
d2ac1d681d70 delete-trailing-whitespaces
sylvain.thenault@logilab.fr
parents: 1490
diff changeset
   140
9032
629a8d49d6f5 [auth] pass `repo` instead of `vreg` to SessionManager and AuthenticationManager
Pierre-Yves David <pierre-yves.david@logilab.fr>
parents: 8694
diff changeset
   141
    def __init__(self, repo):
629a8d49d6f5 [auth] pass `repo` instead of `vreg` to SessionManager and AuthenticationManager
Pierre-Yves David <pierre-yves.david@logilab.fr>
parents: 8694
diff changeset
   142
        self.repo = repo
629a8d49d6f5 [auth] pass `repo` instead of `vreg` to SessionManager and AuthenticationManager
Pierre-Yves David <pierre-yves.david@logilab.fr>
parents: 8694
diff changeset
   143
        vreg = repo.vreg
2887
1282dc6525c5 give vreg where we need it (eg no bound request)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2267
diff changeset
   144
        self.log_queries = vreg.config['query-log-file']
6389
72ba82a26e05 refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 6012
diff changeset
   145
        self.authinforetrievers = sorted(vreg['webauth'].possible_objects(vreg),
6012
d56fd78006cd [session] cleanup session-time / cleanup-session-time...
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5992
diff changeset
   146
                                         key=lambda x: x.order)
5223
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   147
        # 2-uple login / password, login is None when no anonymous access
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   148
        # configured
4910
f40fddaa79ad [web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4856
diff changeset
   149
        self.anoninfo = vreg.config.anonymous_user()
5223
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   150
        if self.anoninfo[0]:
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   151
            self.anoninfo = (self.anoninfo[0], {'password': self.anoninfo[1]})
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   152
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   153
    def validate_session(self, req, session):
6848
f87cd875c6db [web session] cleanup session/authentication api: we don't have anymore to store authentication information on web session since the auto-reconnection feature has been dropped (eg in 3.10)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 6435
diff changeset
   154
        """check session validity and return the connected user on success.
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   155
5223
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   156
        raise :exc:`InvalidSession` if session is corrupted for a reason or
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   157
        another and should be closed
6389
72ba82a26e05 refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 6012
diff changeset
   158
72ba82a26e05 refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 6012
diff changeset
   159
        also invoked while going from anonymous to logged in
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   160
        """
6389
72ba82a26e05 refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 6012
diff changeset
   161
        for retriever in self.authinforetrievers:
72ba82a26e05 refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 6012
diff changeset
   162
            if retriever.request_has_auth_info(req):
72ba82a26e05 refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 6012
diff changeset
   163
                login = retriever.revalidate_login(req)
72ba82a26e05 refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 6012
diff changeset
   164
                return self._validate_session(req, session, login)
72ba82a26e05 refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 6012
diff changeset
   165
        # let's try with the current session
72ba82a26e05 refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 6012
diff changeset
   166
        return self._validate_session(req, session, None)
72ba82a26e05 refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 6012
diff changeset
   167
72ba82a26e05 refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 6012
diff changeset
   168
    def _validate_session(self, req, session, login):
5251
b675edd05c19 [web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5223
diff changeset
   169
        # check session.login and not user.login, since in case of login by
5223
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   170
        # email, login and cnx.login are the email while user.login is the
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   171
        # actual user login
12043
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   172
        if login and session.user.login != login:
5223
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   173
            raise InvalidSession('login mismatch')
1488
6da89a703c5a add ability to login with a primary email address - no tests for now are unittest_application.py are now broken
Florent <florent@secondweb.fr>
parents: 0
diff changeset
   174
3658
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
   175
    def authenticate(self, req):
5223
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   176
        """authenticate user using connection information found in the request,
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   177
        and return corresponding a :class:`~cubicweb.dbapi.Connection` instance,
6848
f87cd875c6db [web session] cleanup session/authentication api: we don't have anymore to store authentication information on web session since the auto-reconnection feature has been dropped (eg in 3.10)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 6435
diff changeset
   178
        as well as login used to open the connection.
1488
6da89a703c5a add ability to login with a primary email address - no tests for now are unittest_application.py are now broken
Florent <florent@secondweb.fr>
parents: 0
diff changeset
   179
5223
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   180
        raise :exc:`cubicweb.AuthenticationError` if authentication failed
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   181
        (no authentication info found or wrong user/password)
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   182
        """
10042
3e010722c071 [web/auth] stop playing games with locals()
Julien Cristau <julien.cristau@logilab.fr>
parents: 9883
diff changeset
   183
        has_auth = False
6389
72ba82a26e05 refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 6012
diff changeset
   184
        for retriever in self.authinforetrievers:
3658
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
   185
            try:
6389
72ba82a26e05 refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 6012
diff changeset
   186
                login, authinfo = retriever.authentication_information(req)
3658
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
   187
            except NoAuthInfo:
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
   188
                continue
10042
3e010722c071 [web/auth] stop playing games with locals()
Julien Cristau <julien.cristau@logilab.fr>
parents: 9883
diff changeset
   189
            has_auth = True
4855
e69b2f2f2d61 when some authentication plugin fail, we may try another one
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4252
diff changeset
   190
            try:
9071
46885bfa4150 Use new repoapi for the web stack
Pierre-Yves David <pierre-yves.david@logilab.fr>
parents: 9042
diff changeset
   191
                session = self._authenticate(login, authinfo)
5223
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   192
            except AuthenticationError:
7908
faec7589f742 [web auth] closes #1981680: authentication info retriever should be given a chance to cleanup data
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 6848
diff changeset
   193
                retriever.cleanup_authentication_information(req)
12046
9056a41d91ba Fix flake8 some errors
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 12043
diff changeset
   194
                continue  # the next one may succeed
6389
72ba82a26e05 refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 6012
diff changeset
   195
            for retriever_ in self.authinforetrievers:
9071
46885bfa4150 Use new repoapi for the web stack
Pierre-Yves David <pierre-yves.david@logilab.fr>
parents: 9042
diff changeset
   196
                retriever_.authenticated(retriever, req, session, login, authinfo)
46885bfa4150 Use new repoapi for the web stack
Pierre-Yves David <pierre-yves.david@logilab.fr>
parents: 9042
diff changeset
   197
            return session, login
10042
3e010722c071 [web/auth] stop playing games with locals()
Julien Cristau <julien.cristau@logilab.fr>
parents: 9883
diff changeset
   198
        # false if no authentication info found, i.e. this is not an
5223
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   199
        # authentication failure
10042
3e010722c071 [web/auth] stop playing games with locals()
Julien Cristau <julien.cristau@logilab.fr>
parents: 9883
diff changeset
   200
        if has_auth:
5223
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   201
            req.set_message(req._('authentication failure'))
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   202
        login, authinfo = self.anoninfo
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   203
        if login:
9071
46885bfa4150 Use new repoapi for the web stack
Pierre-Yves David <pierre-yves.david@logilab.fr>
parents: 9042
diff changeset
   204
            session = self._authenticate(login, authinfo)
46885bfa4150 Use new repoapi for the web stack
Pierre-Yves David <pierre-yves.david@logilab.fr>
parents: 9042
diff changeset
   205
            return session, login
5223
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   206
        raise AuthenticationError()
3658
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
   207
5223
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   208
    def _authenticate(self, login, authinfo):
12043
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   209
        with self.repo.internal_cnx() as cnx:
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   210
            user = self.repo.authenticate_user(cnx, login, **authinfo)
b8d2e6b9f548 Stop using Session on the repository side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 11767
diff changeset
   211
        return Session(self.repo, user)