author | Sylvain Thénault <sylvain.thenault@logilab.fr> |
Tue, 20 Apr 2010 10:42:35 +0200 | |
branch | stable |
changeset 5339 | b83327846450 |
parent 4916 | 4b8cdda342ae |
child 5223 | 6abd6e3599f4 |
child 5417 | 55ff79dad1a6 |
permissions | -rw-r--r-- |
0 | 1 |
"""user authentication component |
2 |
||
3 |
:organization: Logilab |
|
4212
ab6573088b4a
update copyright: welcome 2010
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
2267
diff
changeset
|
4 |
:copyright: 2001-2010 LOGILAB S.A. (Paris, FRANCE), license is LGPL v2. |
0 | 5 |
:contact: http://www.logilab.fr/ -- mailto:contact@logilab.fr |
1977
606923dff11b
big bunch of copyright / docstring update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1690
diff
changeset
|
6 |
:license: GNU Lesser General Public License, v2.1 - http://www.gnu.org/licenses |
0 | 7 |
""" |
8 |
__docformat__ = "restructuredtext en" |
|
9 |
||
10 |
from logilab.common.decorators import clear_cache |
|
11 |
||
12 |
from cubicweb import AuthenticationError, BadConnectionId |
|
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
13 |
from cubicweb.view import Component |
0 | 14 |
from cubicweb.dbapi import repo_connect, ConnectionProperties |
15 |
from cubicweb.web import ExplicitLogin, InvalidSession |
|
16 |
from cubicweb.web.application import AbstractAuthenticationManager |
|
1668 | 17 |
|
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
18 |
class NoAuthInfo(Exception): pass |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
19 |
|
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
20 |
|
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
21 |
class WebAuthInfoRetreiver(Component): |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
22 |
__registry__ = 'webauth' |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
23 |
order = None |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
24 |
|
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
25 |
def authentication_information(self, req): |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
26 |
"""retreive authentication information from the given request, raise |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
27 |
NoAuthInfo if expected information is not found. |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
28 |
""" |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
29 |
raise NotImplementedError() |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
30 |
|
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
31 |
def authenticated(self, req, cnx, retreiver): |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
32 |
"""callback when return authentication information have opened a |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
33 |
repository connection successfully |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
34 |
""" |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
35 |
pass |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
36 |
|
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
37 |
|
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
38 |
class LoginPasswordRetreiver(WebAuthInfoRetreiver): |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
39 |
__regid__ = 'loginpwdauth' |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
40 |
order = 10 |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
41 |
|
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
42 |
def authentication_information(self, req): |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
43 |
"""retreive authentication information from the given request, raise |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
44 |
NoAuthInfo if expected information is not found. |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
45 |
""" |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
46 |
login, password = req.get_authorization() |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
47 |
if not login: |
4910
f40fddaa79ad
[web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4856
diff
changeset
|
48 |
raise NoAuthInfo() |
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
49 |
return login, {'password': password} |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
50 |
|
0 | 51 |
|
52 |
class RepositoryAuthenticationManager(AbstractAuthenticationManager): |
|
53 |
"""authenticate user associated to a request and check session validity""" |
|
1668 | 54 |
|
2887
1282dc6525c5
give vreg where we need it (eg no bound request)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2267
diff
changeset
|
55 |
def __init__(self, vreg): |
1282dc6525c5
give vreg where we need it (eg no bound request)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2267
diff
changeset
|
56 |
super(RepositoryAuthenticationManager, self).__init__(vreg) |
1282dc6525c5
give vreg where we need it (eg no bound request)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2267
diff
changeset
|
57 |
self.repo = vreg.config.repository(vreg) |
1282dc6525c5
give vreg where we need it (eg no bound request)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2267
diff
changeset
|
58 |
self.log_queries = vreg.config['query-log-file'] |
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
59 |
self.authinforetreivers = sorted(vreg['webauth'].possible_objects(vreg), |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
60 |
key=lambda x: x.order) |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
61 |
assert self.authinforetreivers |
4910
f40fddaa79ad
[web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4856
diff
changeset
|
62 |
self.anoninfo = vreg.config.anonymous_user() |
0 | 63 |
|
64 |
def validate_session(self, req, session): |
|
65 |
"""check session validity, and return eventually hijacked session |
|
66 |
||
67 |
:raise InvalidSession: |
|
68 |
if session is corrupted for a reason or another and should be closed |
|
69 |
""" |
|
70 |
# with this authentication manager, session is actually a dbapi |
|
71 |
# connection |
|
72 |
cnx = session |
|
73 |
login = req.get_authorization()[0] |
|
74 |
try: |
|
75 |
# calling cnx.user() check connection validity, raise |
|
76 |
# BadConnectionId on failure |
|
77 |
user = cnx.user(req) |
|
2267
e1d2df3f1091
move login by email functionnality on the repository side to avoid buggy call to internal_session from the web interface side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
1977
diff
changeset
|
78 |
# check cnx.login and not user.login, since in case of login by |
e1d2df3f1091
move login by email functionnality on the repository side to avoid buggy call to internal_session from the web interface side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
1977
diff
changeset
|
79 |
# email, login and cnx.login are the email while user.login is the |
e1d2df3f1091
move login by email functionnality on the repository side to avoid buggy call to internal_session from the web interface side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
1977
diff
changeset
|
80 |
# actual user login |
e1d2df3f1091
move login by email functionnality on the repository side to avoid buggy call to internal_session from the web interface side
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
1977
diff
changeset
|
81 |
if login and cnx.login != login: |
0 | 82 |
cnx.close() |
83 |
raise InvalidSession('login mismatch') |
|
84 |
except BadConnectionId: |
|
85 |
# check if a connection should be automatically restablished |
|
86 |
if (login is None or login == cnx.login): |
|
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
87 |
cnx = self._authenticate(req, cnx.login, cnx.authinfo) |
0 | 88 |
user = cnx.user(req) |
89 |
# backport session's data |
|
90 |
cnx.data = session.data |
|
91 |
else: |
|
92 |
raise InvalidSession('bad connection id') |
|
93 |
# associate the connection to the current request |
|
94 |
req.set_connection(cnx, user) |
|
95 |
return cnx |
|
1488
6da89a703c5a
add ability to login with a primary email address - no tests for now are unittest_application.py are now broken
Florent <florent@secondweb.fr>
parents:
0
diff
changeset
|
96 |
|
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
97 |
def authenticate(self, req): |
0 | 98 |
"""authenticate user and return corresponding user object |
1488
6da89a703c5a
add ability to login with a primary email address - no tests for now are unittest_application.py are now broken
Florent <florent@secondweb.fr>
parents:
0
diff
changeset
|
99 |
|
0 | 100 |
:raise ExplicitLogin: if authentication is required (no authentication |
101 |
info found or wrong user/password) |
|
102 |
||
103 |
Note: this method is violating AuthenticationManager interface by |
|
104 |
returning a session instance instead of the user. This is expected by |
|
105 |
the InMemoryRepositorySessionManager. |
|
106 |
""" |
|
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
107 |
for retreiver in self.authinforetreivers: |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
108 |
try: |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
109 |
login, authinfo = retreiver.authentication_information(req) |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
110 |
except NoAuthInfo: |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
111 |
continue |
4855
e69b2f2f2d61
when some authentication plugin fail, we may try another one
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4252
diff
changeset
|
112 |
try: |
e69b2f2f2d61
when some authentication plugin fail, we may try another one
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4252
diff
changeset
|
113 |
cnx = self._authenticate(req, login, authinfo) |
e69b2f2f2d61
when some authentication plugin fail, we may try another one
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4252
diff
changeset
|
114 |
except ExplicitLogin: |
e69b2f2f2d61
when some authentication plugin fail, we may try another one
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4252
diff
changeset
|
115 |
continue # the next one may succeed |
4910
f40fddaa79ad
[web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4856
diff
changeset
|
116 |
for retreiver_ in self.authinforetreivers: |
f40fddaa79ad
[web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4856
diff
changeset
|
117 |
retreiver_.authenticated(req, cnx, retreiver) |
f40fddaa79ad
[web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4856
diff
changeset
|
118 |
break |
0 | 119 |
else: |
4910
f40fddaa79ad
[web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4856
diff
changeset
|
120 |
# false if no authentication info found, eg this is not an |
f40fddaa79ad
[web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4856
diff
changeset
|
121 |
# authentication failure |
f40fddaa79ad
[web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4856
diff
changeset
|
122 |
if 'login' in locals(): |
f40fddaa79ad
[web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4856
diff
changeset
|
123 |
req.set_message(req._('authentication failure')) |
f40fddaa79ad
[web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4856
diff
changeset
|
124 |
cnx = self._open_anonymous_connection(req) |
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
125 |
return cnx |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
126 |
|
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
127 |
def _authenticate(self, req, login, authinfo): |
0 | 128 |
cnxprops = ConnectionProperties(self.vreg.config.repo_method, |
129 |
close=False, log=self.log_queries) |
|
130 |
try: |
|
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
131 |
cnx = repo_connect(self.repo, login, cnxprops=cnxprops, **authinfo) |
0 | 132 |
except AuthenticationError: |
4910
f40fddaa79ad
[web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4856
diff
changeset
|
133 |
raise ExplicitLogin() |
f40fddaa79ad
[web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4856
diff
changeset
|
134 |
self._init_cnx(cnx, login, authinfo) |
0 | 135 |
# associate the connection to the current request |
136 |
req.set_connection(cnx) |
|
137 |
return cnx |
|
138 |
||
4910
f40fddaa79ad
[web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4856
diff
changeset
|
139 |
def _open_anonymous_connection(self, req): |
f40fddaa79ad
[web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4856
diff
changeset
|
140 |
# restore an anonymous connection if possible |
f40fddaa79ad
[web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4856
diff
changeset
|
141 |
login, password = self.anoninfo |
f40fddaa79ad
[web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4856
diff
changeset
|
142 |
if login: |
4916 | 143 |
cnx = self._authenticate(req, login, {'password': password}) |
144 |
cnx.anonymous_connection = True |
|
145 |
return cnx |
|
4910
f40fddaa79ad
[web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4856
diff
changeset
|
146 |
raise ExplicitLogin() |
f40fddaa79ad
[web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4856
diff
changeset
|
147 |
|
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
148 |
def _init_cnx(self, cnx, login, authinfo): |
0 | 149 |
# decorate connection |
150 |
cnx.vreg = self.vreg |
|
151 |
cnx.login = login |
|
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
152 |
cnx.authinfo = authinfo |
0 | 153 |