author | Julien Cristau <julien.cristau@logilab.fr> |
Mon, 07 Apr 2014 14:15:35 +0200 | |
changeset 9632 | c60c8dec0e0e |
parent 9402 | 2c48c091b6a2 |
child 9883 | 0a5890491ab3 |
permissions | -rw-r--r-- |
8544
3d049071957e
massive copyright update to avoid clutering later patches
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7908
diff
changeset
|
1 |
# copyright 2003-2012 LOGILAB S.A. (Paris, FRANCE), all rights reserved. |
5421
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
2 |
# contact http://www.logilab.fr/ -- mailto:contact@logilab.fr |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
3 |
# |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
4 |
# This file is part of CubicWeb. |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
5 |
# |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
6 |
# CubicWeb is free software: you can redistribute it and/or modify it under the |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
7 |
# terms of the GNU Lesser General Public License as published by the Free |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
8 |
# Software Foundation, either version 2.1 of the License, or (at your option) |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
9 |
# any later version. |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
10 |
# |
5424
8ecbcbff9777
replace logilab-common by CubicWeb in disclaimer
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5421
diff
changeset
|
11 |
# CubicWeb is distributed in the hope that it will be useful, but WITHOUT |
5421
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
12 |
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
13 |
# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
14 |
# details. |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
15 |
# |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
16 |
# You should have received a copy of the GNU Lesser General Public License along |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5417
diff
changeset
|
17 |
# with CubicWeb. If not, see <http://www.gnu.org/licenses/>. |
5992 | 18 |
"""user authentication component""" |
0 | 19 |
|
20 |
__docformat__ = "restructuredtext en" |
|
21 |
||
5251
b675edd05c19
[web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5223
diff
changeset
|
22 |
from threading import Lock |
b675edd05c19
[web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5223
diff
changeset
|
23 |
|
0 | 24 |
from logilab.common.decorators import clear_cache |
9175
a7412e884d7b
fix typos in docstring, doc and comments
Julien Cristau <julien.cristau@logilab.fr>
parents:
8694
diff
changeset
|
25 |
from logilab.common.deprecation import class_renamed |
0 | 26 |
|
27 |
from cubicweb import AuthenticationError, BadConnectionId |
|
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
28 |
from cubicweb.view import Component |
8673
8ea63a2cc2cc
[db-api] rename repo_connect into _repo_connect to mark it private. Closes #2521848
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8669
diff
changeset
|
29 |
from cubicweb.dbapi import _repo_connect, ConnectionProperties |
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
30 |
from cubicweb.web import InvalidSession |
0 | 31 |
from cubicweb.web.application import AbstractAuthenticationManager |
1668 | 32 |
|
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
33 |
class NoAuthInfo(Exception): pass |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
34 |
|
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
35 |
|
9175
a7412e884d7b
fix typos in docstring, doc and comments
Julien Cristau <julien.cristau@logilab.fr>
parents:
8694
diff
changeset
|
36 |
class WebAuthInfoRetriever(Component): |
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
37 |
__registry__ = 'webauth' |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
38 |
order = None |
6389
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
39 |
__abstract__ = True |
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
40 |
|
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
41 |
def authentication_information(self, req): |
9175
a7412e884d7b
fix typos in docstring, doc and comments
Julien Cristau <julien.cristau@logilab.fr>
parents:
8694
diff
changeset
|
42 |
"""retrieve authentication information from the given request, raise |
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
43 |
NoAuthInfo if expected information is not found. |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
44 |
""" |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
45 |
raise NotImplementedError() |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
46 |
|
9175
a7412e884d7b
fix typos in docstring, doc and comments
Julien Cristau <julien.cristau@logilab.fr>
parents:
8694
diff
changeset
|
47 |
def authenticated(self, retriever, req, cnx, login, authinfo): |
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
48 |
"""callback when return authentication information have opened a |
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
49 |
repository connection successfully. Take care req has no session |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
50 |
attached yet, hence req.execute isn't available. |
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
51 |
""" |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
52 |
pass |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
53 |
|
6389
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
54 |
def request_has_auth_info(self, req): |
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
55 |
"""tells from the request if it has enough information |
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
56 |
to proceed to authentication, would the current session |
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
57 |
be invalidated |
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
58 |
""" |
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
59 |
raise NotImplementedError() |
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
60 |
|
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
61 |
def revalidate_login(self, req): |
6435
71b2a3fe7ba1
backport stable
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
6418
diff
changeset
|
62 |
"""returns a login string or None, for repository session validation |
71b2a3fe7ba1
backport stable
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
6418
diff
changeset
|
63 |
purposes |
6389
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
64 |
""" |
6391
e330ead0804b
[authentication] force retriever implementor to think about it
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6389
diff
changeset
|
65 |
raise NotImplementedError() |
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
66 |
|
7908
faec7589f742
[web auth] closes #1981680: authentication info retriever should be given a chance to cleanup data
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
6848
diff
changeset
|
67 |
def cleanup_authentication_information(self, req): |
faec7589f742
[web auth] closes #1981680: authentication info retriever should be given a chance to cleanup data
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
6848
diff
changeset
|
68 |
"""called when the retriever has returned some authentication |
faec7589f742
[web auth] closes #1981680: authentication info retriever should be given a chance to cleanup data
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
6848
diff
changeset
|
69 |
information but we get an authentication error when using them, so it |
9175
a7412e884d7b
fix typos in docstring, doc and comments
Julien Cristau <julien.cristau@logilab.fr>
parents:
8694
diff
changeset
|
70 |
get a chance to clean things up (e.g. remove cookie) |
7908
faec7589f742
[web auth] closes #1981680: authentication info retriever should be given a chance to cleanup data
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
6848
diff
changeset
|
71 |
""" |
faec7589f742
[web auth] closes #1981680: authentication info retriever should be given a chance to cleanup data
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
6848
diff
changeset
|
72 |
pass |
faec7589f742
[web auth] closes #1981680: authentication info retriever should be given a chance to cleanup data
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
6848
diff
changeset
|
73 |
|
9225
4b81252fccdd
[deprecation] add cw version number to the deprecation message and help user to understand the change
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
9175
diff
changeset
|
74 |
WebAuthInfoRetreiver = class_renamed( |
4b81252fccdd
[deprecation] add cw version number to the deprecation message and help user to understand the change
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
9175
diff
changeset
|
75 |
'WebAuthInfoRetreiver', WebAuthInfoRetriever, |
4b81252fccdd
[deprecation] add cw version number to the deprecation message and help user to understand the change
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
9175
diff
changeset
|
76 |
'[3.17] WebAuthInfoRetreiver had been renamed into WebAuthInfoRetriever ' |
4b81252fccdd
[deprecation] add cw version number to the deprecation message and help user to understand the change
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
9175
diff
changeset
|
77 |
'("ie" instead of "ei")') |
7908
faec7589f742
[web auth] closes #1981680: authentication info retriever should be given a chance to cleanup data
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
6848
diff
changeset
|
78 |
|
9175
a7412e884d7b
fix typos in docstring, doc and comments
Julien Cristau <julien.cristau@logilab.fr>
parents:
8694
diff
changeset
|
79 |
|
a7412e884d7b
fix typos in docstring, doc and comments
Julien Cristau <julien.cristau@logilab.fr>
parents:
8694
diff
changeset
|
80 |
class LoginPasswordRetriever(WebAuthInfoRetriever): |
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
81 |
__regid__ = 'loginpwdauth' |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
82 |
order = 10 |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
83 |
|
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
84 |
def authentication_information(self, req): |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
85 |
"""retreive authentication information from the given request, raise |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
86 |
NoAuthInfo if expected information is not found. |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
87 |
""" |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
88 |
login, password = req.get_authorization() |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
89 |
if not login: |
4910
f40fddaa79ad
[web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4856
diff
changeset
|
90 |
raise NoAuthInfo() |
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
91 |
return login, {'password': password} |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
92 |
|
6389
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
93 |
def request_has_auth_info(self, req): |
6418
948a9f8514b2
[views/authentication] fix http auth regression (no message)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6391
diff
changeset
|
94 |
return req.get_authorization()[0] is not None |
6389
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
95 |
|
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
96 |
def revalidate_login(self, req): |
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
97 |
return req.get_authorization()[0] |
0 | 98 |
|
9225
4b81252fccdd
[deprecation] add cw version number to the deprecation message and help user to understand the change
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
9175
diff
changeset
|
99 |
LoginPasswordRetreiver = class_renamed( |
4b81252fccdd
[deprecation] add cw version number to the deprecation message and help user to understand the change
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
9175
diff
changeset
|
100 |
'LoginPasswordRetreiver', LoginPasswordRetriever, |
4b81252fccdd
[deprecation] add cw version number to the deprecation message and help user to understand the change
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
9175
diff
changeset
|
101 |
'[3.17] LoginPasswordRetreiver had been renamed into LoginPasswordRetriever ' |
4b81252fccdd
[deprecation] add cw version number to the deprecation message and help user to understand the change
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
9175
diff
changeset
|
102 |
'("ie" instead of "ei")') |
9175
a7412e884d7b
fix typos in docstring, doc and comments
Julien Cristau <julien.cristau@logilab.fr>
parents:
8694
diff
changeset
|
103 |
|
a7412e884d7b
fix typos in docstring, doc and comments
Julien Cristau <julien.cristau@logilab.fr>
parents:
8694
diff
changeset
|
104 |
|
0 | 105 |
class RepositoryAuthenticationManager(AbstractAuthenticationManager): |
106 |
"""authenticate user associated to a request and check session validity""" |
|
1668 | 107 |
|
9032
629a8d49d6f5
[auth] pass `repo` instead of `vreg` to SessionManager and AuthenticationManager
Pierre-Yves David <pierre-yves.david@logilab.fr>
parents:
8694
diff
changeset
|
108 |
def __init__(self, repo): |
629a8d49d6f5
[auth] pass `repo` instead of `vreg` to SessionManager and AuthenticationManager
Pierre-Yves David <pierre-yves.david@logilab.fr>
parents:
8694
diff
changeset
|
109 |
super(RepositoryAuthenticationManager, self).__init__(repo) |
629a8d49d6f5
[auth] pass `repo` instead of `vreg` to SessionManager and AuthenticationManager
Pierre-Yves David <pierre-yves.david@logilab.fr>
parents:
8694
diff
changeset
|
110 |
self.repo = repo |
629a8d49d6f5
[auth] pass `repo` instead of `vreg` to SessionManager and AuthenticationManager
Pierre-Yves David <pierre-yves.david@logilab.fr>
parents:
8694
diff
changeset
|
111 |
vreg = repo.vreg |
2887
1282dc6525c5
give vreg where we need it (eg no bound request)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2267
diff
changeset
|
112 |
self.log_queries = vreg.config['query-log-file'] |
6389
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
113 |
self.authinforetrievers = sorted(vreg['webauth'].possible_objects(vreg), |
6012
d56fd78006cd
[session] cleanup session-time / cleanup-session-time...
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5992
diff
changeset
|
114 |
key=lambda x: x.order) |
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
115 |
# 2-uple login / password, login is None when no anonymous access |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
116 |
# configured |
4910
f40fddaa79ad
[web auth] fix authentication pb when anonymous are allowed, avoiding the first authentifier to return an anon connection while a following one may find correct authentication info. This make things simpler (eventually)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4856
diff
changeset
|
117 |
self.anoninfo = vreg.config.anonymous_user() |
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
118 |
if self.anoninfo[0]: |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
119 |
self.anoninfo = (self.anoninfo[0], {'password': self.anoninfo[1]}) |
0 | 120 |
|
121 |
def validate_session(self, req, session): |
|
6848
f87cd875c6db
[web session] cleanup session/authentication api: we don't have anymore to store authentication information on web session since the auto-reconnection feature has been dropped (eg in 3.10)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
6435
diff
changeset
|
122 |
"""check session validity and return the connected user on success. |
0 | 123 |
|
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
124 |
raise :exc:`InvalidSession` if session is corrupted for a reason or |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
125 |
another and should be closed |
6389
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
126 |
|
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
127 |
also invoked while going from anonymous to logged in |
0 | 128 |
""" |
6389
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
129 |
for retriever in self.authinforetrievers: |
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
130 |
if retriever.request_has_auth_info(req): |
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
131 |
login = retriever.revalidate_login(req) |
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
132 |
return self._validate_session(req, session, login) |
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
133 |
# let's try with the current session |
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
134 |
return self._validate_session(req, session, None) |
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
135 |
|
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
136 |
def _validate_session(self, req, session, login): |
5251
b675edd05c19
[web session] fix web session id bug on automatic reconnection. The web session id should keep the first connection id, then differ of the repo connection id once some reconnection has been done (since the session cookie isn't updated in such cases). Also, use a lock to avoid potential race condition on reconnection.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5223
diff
changeset
|
137 |
# check session.login and not user.login, since in case of login by |
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
138 |
# email, login and cnx.login are the email while user.login is the |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
139 |
# actual user login |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
140 |
if login and session.login != login: |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
141 |
raise InvalidSession('login mismatch') |
1488
6da89a703c5a
add ability to login with a primary email address - no tests for now are unittest_application.py are now broken
Florent <florent@secondweb.fr>
parents:
0
diff
changeset
|
142 |
|
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
143 |
def authenticate(self, req): |
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
144 |
"""authenticate user using connection information found in the request, |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
145 |
and return corresponding a :class:`~cubicweb.dbapi.Connection` instance, |
6848
f87cd875c6db
[web session] cleanup session/authentication api: we don't have anymore to store authentication information on web session since the auto-reconnection feature has been dropped (eg in 3.10)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
6435
diff
changeset
|
146 |
as well as login used to open the connection. |
1488
6da89a703c5a
add ability to login with a primary email address - no tests for now are unittest_application.py are now broken
Florent <florent@secondweb.fr>
parents:
0
diff
changeset
|
147 |
|
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
148 |
raise :exc:`cubicweb.AuthenticationError` if authentication failed |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
149 |
(no authentication info found or wrong user/password) |
0 | 150 |
""" |
6389
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
151 |
for retriever in self.authinforetrievers: |
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
152 |
try: |
6389
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
153 |
login, authinfo = retriever.authentication_information(req) |
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
154 |
except NoAuthInfo: |
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
155 |
continue |
4855
e69b2f2f2d61
when some authentication plugin fail, we may try another one
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4252
diff
changeset
|
156 |
try: |
9071
46885bfa4150
Use new repoapi for the web stack
Pierre-Yves David <pierre-yves.david@logilab.fr>
parents:
9042
diff
changeset
|
157 |
session = self._authenticate(login, authinfo) |
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
158 |
except AuthenticationError: |
7908
faec7589f742
[web auth] closes #1981680: authentication info retriever should be given a chance to cleanup data
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
6848
diff
changeset
|
159 |
retriever.cleanup_authentication_information(req) |
4855
e69b2f2f2d61
when some authentication plugin fail, we may try another one
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4252
diff
changeset
|
160 |
continue # the next one may succeed |
6389
72ba82a26e05
refactor login box & form to enable easy pluggability
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6012
diff
changeset
|
161 |
for retriever_ in self.authinforetrievers: |
9071
46885bfa4150
Use new repoapi for the web stack
Pierre-Yves David <pierre-yves.david@logilab.fr>
parents:
9042
diff
changeset
|
162 |
retriever_.authenticated(retriever, req, session, login, authinfo) |
46885bfa4150
Use new repoapi for the web stack
Pierre-Yves David <pierre-yves.david@logilab.fr>
parents:
9042
diff
changeset
|
163 |
return session, login |
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
164 |
# false if no authentication info found, eg this is not an |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
165 |
# authentication failure |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
166 |
if 'login' in locals(): |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
167 |
req.set_message(req._('authentication failure')) |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
168 |
login, authinfo = self.anoninfo |
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
169 |
if login: |
9071
46885bfa4150
Use new repoapi for the web stack
Pierre-Yves David <pierre-yves.david@logilab.fr>
parents:
9042
diff
changeset
|
170 |
session = self._authenticate(login, authinfo) |
46885bfa4150
Use new repoapi for the web stack
Pierre-Yves David <pierre-yves.david@logilab.fr>
parents:
9042
diff
changeset
|
171 |
return session, login |
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
172 |
raise AuthenticationError() |
3658
d8f2ec7e91fa
pluggable authentication information retreiver
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3647
diff
changeset
|
173 |
|
5223
6abd6e3599f4
#773448: refactor session and 'no connection' handling, by introducing proper web session. We should now be able to see page even when no anon is configured, and be redirected to the login form as soon as one tries to do a query.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4916
diff
changeset
|
174 |
def _authenticate(self, login, authinfo): |
9071
46885bfa4150
Use new repoapi for the web stack
Pierre-Yves David <pierre-yves.david@logilab.fr>
parents:
9042
diff
changeset
|
175 |
sessionid = self.repo.connect(login, **authinfo) |
46885bfa4150
Use new repoapi for the web stack
Pierre-Yves David <pierre-yves.david@logilab.fr>
parents:
9042
diff
changeset
|
176 |
return self.repo._sessions[sessionid] |
0 | 177 |