web/views/authentication.py
author Sylvain Thénault <sylvain.thenault@logilab.fr>
Fri, 23 Apr 2010 12:42:53 +0200
changeset 5385 b6e250dd7a7d
parent 5251 b675edd05c19
child 5423 e15abfdcce38
permissions -rw-r--r--
backport stable
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
     1
"""user authentication component
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
     2
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
     3
:organization: Logilab
4212
ab6573088b4a update copyright: welcome 2010
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents: 2267
diff changeset
     4
:copyright: 2001-2010 LOGILAB S.A. (Paris, FRANCE), license is LGPL v2.
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
     5
:contact: http://www.logilab.fr/ -- mailto:contact@logilab.fr
1977
606923dff11b big bunch of copyright / docstring update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents: 1690
diff changeset
     6
:license: GNU Lesser General Public License, v2.1 - http://www.gnu.org/licenses
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
     7
"""
5251
b675edd05c19 [web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5223
diff changeset
     8
from __future__ import with_statement
b675edd05c19 [web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5223
diff changeset
     9
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    10
__docformat__ = "restructuredtext en"
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    11
5251
b675edd05c19 [web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5223
diff changeset
    12
from threading import Lock
b675edd05c19 [web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5223
diff changeset
    13
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    14
from logilab.common.decorators import clear_cache
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    15
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    16
from cubicweb import AuthenticationError, BadConnectionId
3658
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    17
from cubicweb.view import Component
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    18
from cubicweb.dbapi import repo_connect, ConnectionProperties
5223
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
    19
from cubicweb.web import InvalidSession
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    20
from cubicweb.web.application import AbstractAuthenticationManager
1668
d2ac1d681d70 delete-trailing-whitespaces
sylvain.thenault@logilab.fr
parents: 1490
diff changeset
    21
3658
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    22
class NoAuthInfo(Exception): pass
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    23
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    24
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    25
class WebAuthInfoRetreiver(Component):
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    26
    __registry__ = 'webauth'
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    27
    order = None
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    28
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    29
    def authentication_information(self, req):
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    30
        """retreive authentication information from the given request, raise
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    31
        NoAuthInfo if expected information is not found.
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    32
        """
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    33
        raise NotImplementedError()
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    34
5223
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
    35
    def authenticated(self, retreiver, req, cnx, login, authinfo):
3658
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    36
        """callback when return authentication information have opened a
5223
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
    37
        repository connection successfully. Take care req has no session
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
    38
        attached yet, hence req.execute isn't available.
3658
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    39
        """
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    40
        pass
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    41
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    42
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    43
class LoginPasswordRetreiver(WebAuthInfoRetreiver):
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    44
    __regid__ = 'loginpwdauth'
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    45
    order = 10
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    46
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    47
    def authentication_information(self, req):
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    48
        """retreive authentication information from the given request, raise
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    49
        NoAuthInfo if expected information is not found.
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    50
        """
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    51
        login, password = req.get_authorization()
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    52
        if not login:
4910
f40fddaa79ad [web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4856
diff changeset
    53
            raise NoAuthInfo()
3658
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    54
        return login, {'password': password}
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    55
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    56
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    57
class RepositoryAuthenticationManager(AbstractAuthenticationManager):
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    58
    """authenticate user associated to a request and check session validity"""
1668
d2ac1d681d70 delete-trailing-whitespaces
sylvain.thenault@logilab.fr
parents: 1490
diff changeset
    59
2887
1282dc6525c5 give vreg where we need it (eg no bound request)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2267
diff changeset
    60
    def __init__(self, vreg):
1282dc6525c5 give vreg where we need it (eg no bound request)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2267
diff changeset
    61
        super(RepositoryAuthenticationManager, self).__init__(vreg)
1282dc6525c5 give vreg where we need it (eg no bound request)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2267
diff changeset
    62
        self.repo = vreg.config.repository(vreg)
1282dc6525c5 give vreg where we need it (eg no bound request)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2267
diff changeset
    63
        self.log_queries = vreg.config['query-log-file']
3658
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    64
        self.authinforetreivers = sorted(vreg['webauth'].possible_objects(vreg),
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    65
                                    key=lambda x: x.order)
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
    66
        assert self.authinforetreivers
5223
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
    67
        # 2-uple login / password, login is None when no anonymous access
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
    68
        # configured
4910
f40fddaa79ad [web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4856
diff changeset
    69
        self.anoninfo = vreg.config.anonymous_user()
5223
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
    70
        if self.anoninfo[0]:
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
    71
            self.anoninfo = (self.anoninfo[0], {'password': self.anoninfo[1]})
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    72
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    73
    def validate_session(self, req, session):
5223
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
    74
        """check session validity, reconnecting it to the repository if the
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
    75
        associated connection expired in the repository side (hence the
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
    76
        necessity for this method). Return the connected user on success.
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    77
5223
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
    78
        raise :exc:`InvalidSession` if session is corrupted for a reason or
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
    79
        another and should be closed
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    80
        """
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    81
        # with this authentication manager, session is actually a dbapi
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    82
        # connection
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    83
        login = req.get_authorization()[0]
5251
b675edd05c19 [web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5223
diff changeset
    84
        # check session.login and not user.login, since in case of login by
5223
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
    85
        # email, login and cnx.login are the email while user.login is the
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
    86
        # actual user login
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
    87
        if login and session.login != login:
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
    88
            raise InvalidSession('login mismatch')
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    89
        try:
5251
b675edd05c19 [web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5223
diff changeset
    90
            lock = session.reconnection_lock
b675edd05c19 [web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5223
diff changeset
    91
        except AttributeError:
b675edd05c19 [web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5223
diff changeset
    92
            lock = session.reconnection_lock = Lock()
b675edd05c19 [web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5223
diff changeset
    93
        # need to be locked two avoid duplicated reconnections on concurrent
b675edd05c19 [web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5223
diff changeset
    94
        # requests
b675edd05c19 [web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5223
diff changeset
    95
        with lock:
b675edd05c19 [web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5223
diff changeset
    96
            cnx = session.cnx
b675edd05c19 [web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5223
diff changeset
    97
            try:
b675edd05c19 [web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5223
diff changeset
    98
                # calling cnx.user() check connection validity, raise
b675edd05c19 [web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5223
diff changeset
    99
                # BadConnectionId on failure
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   100
                user = cnx.user(req)
5251
b675edd05c19 [web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5223
diff changeset
   101
            except BadConnectionId:
b675edd05c19 [web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5223
diff changeset
   102
                # check if a connection should be automatically restablished
b675edd05c19 [web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5223
diff changeset
   103
                if (login is None or login == session.login):
b675edd05c19 [web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5223
diff changeset
   104
                    cnx = self._authenticate(session.login, session.authinfo)
b675edd05c19 [web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5223
diff changeset
   105
                    user = cnx.user(req)
b675edd05c19 [web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5223
diff changeset
   106
                    session.cnx = cnx
b675edd05c19 [web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5223
diff changeset
   107
                else:
b675edd05c19 [web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5223
diff changeset
   108
                    raise InvalidSession('bad connection id')
5223
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   109
        return user
1488
6da89a703c5a add ability to login with a primary email address - no tests for now are unittest_application.py are now broken
Florent <florent@secondweb.fr>
parents: 0
diff changeset
   110
3658
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
   111
    def authenticate(self, req):
5223
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   112
        """authenticate user using connection information found in the request,
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   113
        and return corresponding a :class:`~cubicweb.dbapi.Connection` instance,
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   114
        as well as login and authentication information dictionary used to open
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   115
        the connection.
1488
6da89a703c5a add ability to login with a primary email address - no tests for now are unittest_application.py are now broken
Florent <florent@secondweb.fr>
parents: 0
diff changeset
   116
5223
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   117
        raise :exc:`cubicweb.AuthenticationError` if authentication failed
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   118
        (no authentication info found or wrong user/password)
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   119
        """
3658
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
   120
        for retreiver in self.authinforetreivers:
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
   121
            try:
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
   122
                login, authinfo = retreiver.authentication_information(req)
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
   123
            except NoAuthInfo:
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
   124
                continue
4855
e69b2f2f2d61 when some authentication plugin fail, we may try another one
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4252
diff changeset
   125
            try:
5223
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   126
                cnx = self._authenticate(login, authinfo)
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   127
            except AuthenticationError:
4855
e69b2f2f2d61 when some authentication plugin fail, we may try another one
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4252
diff changeset
   128
                continue # the next one may succeed
4910
f40fddaa79ad [web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4856
diff changeset
   129
            for retreiver_ in self.authinforetreivers:
5223
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   130
                retreiver_.authenticated(retreiver, req, cnx, login, authinfo)
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   131
            return cnx, login, authinfo
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   132
        # false if no authentication info found, eg this is not an
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   133
        # authentication failure
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   134
        if 'login' in locals():
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   135
            req.set_message(req._('authentication failure'))
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   136
        login, authinfo = self.anoninfo
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   137
        if login:
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   138
            cnx = self._authenticate(login, authinfo)
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   139
            cnx.anonymous_connection = True
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   140
            return cnx, login, authinfo
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   141
        raise AuthenticationError()
3658
d8f2ec7e91fa pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3647
diff changeset
   142
5223
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   143
    def _authenticate(self, login, authinfo):
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   144
        cnxprops = ConnectionProperties(self.vreg.config.repo_method,
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   145
                                        close=False, log=self.log_queries)
5223
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   146
        cnx = repo_connect(self.repo, login, cnxprops=cnxprops, **authinfo)
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   147
        # decorate connection
6abd6e3599f4 #773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4916
diff changeset
   148
        cnx.vreg = self.vreg
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   149
        return cnx
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   150