cubicweb: web/views/authentication.py@f61402624f7b (annotated)

0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	1	"""user authentication component
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	2
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	3	:organization: Logilab
1668 d2ac1d681d70 delete-trailing-whitespaces sylvain.thenault@logilab.fr parents: 1490 diff changeset	4	:copyright: 2001-2009 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	5	:contact: http://www.logilab.fr/ -- mailto:contact@logilab.fr
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	6	"""
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	7	__docformat__ = "restructuredtext en"
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	8
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	9	from logilab.common.decorators import clear_cache
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	10
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	11	from cubicweb import AuthenticationError, BadConnectionId
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	12	from cubicweb.dbapi import repo_connect, ConnectionProperties
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	13	from cubicweb.web import ExplicitLogin, InvalidSession
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	14	from cubicweb.web.application import AbstractAuthenticationManager
1668 d2ac1d681d70 delete-trailing-whitespaces sylvain.thenault@logilab.fr parents: 1490 diff changeset	15
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	16
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	17	class RepositoryAuthenticationManager(AbstractAuthenticationManager):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	18	"""authenticate user associated to a request and check session validity"""
1668 d2ac1d681d70 delete-trailing-whitespaces sylvain.thenault@logilab.fr parents: 1490 diff changeset	19
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	20	def __init__(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	21	self.repo = self.config.repository(self.vreg)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	22	self.log_queries = self.config['query-log-file']
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	23
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	24	def validate_session(self, req, session):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	25	"""check session validity, and return eventually hijacked session
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	26
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	27	:raise InvalidSession:
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	28	if session is corrupted for a reason or another and should be closed
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	29	"""
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	30	# with this authentication manager, session is actually a dbapi
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	31	# connection
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	32	cnx = session
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	33	login = req.get_authorization()[0]
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	34	try:
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	35	# calling cnx.user() check connection validity, raise
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	36	# BadConnectionId on failure
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	37	user = cnx.user(req)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	38	if login and user.login != login:
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	39	cnx.close()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	40	raise InvalidSession('login mismatch')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	41	except BadConnectionId:
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	42	# check if a connection should be automatically restablished
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	43	if (login is None or login == cnx.login):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	44	login, password = cnx.login, cnx.password
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	45	cnx = self.authenticate(req, login, password)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	46	user = cnx.user(req)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	47	# backport session's data
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	48	cnx.data = session.data
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	49	else:
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	50	raise InvalidSession('bad connection id')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	51	# associate the connection to the current request
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	52	req.set_connection(cnx, user)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	53	return cnx
1488 6da89a703c5a add ability to login with a primary email address - no tests for now are unittest_application.py are now broken Florent <florent@secondweb.fr> parents: 0 diff changeset	54
6da89a703c5a add ability to login with a primary email address - no tests for now are unittest_application.py are now broken Florent <florent@secondweb.fr> parents: 0 diff changeset	55	def login_from_email(self, login):
1664 03ebeccf9f1d add XXX before 2 calls to self.repo.internal_session() on the web interface side Florent <florent@secondweb.fr> parents: 1663 diff changeset	56	# XXX should not be called from web interface
1488 6da89a703c5a add ability to login with a primary email address - no tests for now are unittest_application.py are now broken Florent <florent@secondweb.fr> parents: 0 diff changeset	57	session = self.repo.internal_session()
1663 89efe0e744cf close internal session in login_from_email Florent <florent@secondweb.fr> parents: 1490 diff changeset	58	try:
89efe0e744cf close internal session in login_from_email Florent <florent@secondweb.fr> parents: 1490 diff changeset	59	rset = session.execute('Any L WHERE U login L, U primary_email M, '
89efe0e744cf close internal session in login_from_email Florent <florent@secondweb.fr> parents: 1490 diff changeset	60	'M address %(login)s', {'login': login})
89efe0e744cf close internal session in login_from_email Florent <florent@secondweb.fr> parents: 1490 diff changeset	61	if rset.rowcount == 1:
89efe0e744cf close internal session in login_from_email Florent <florent@secondweb.fr> parents: 1490 diff changeset	62	login = rset[0][0]
89efe0e744cf close internal session in login_from_email Florent <florent@secondweb.fr> parents: 1490 diff changeset	63	finally:
89efe0e744cf close internal session in login_from_email Florent <florent@secondweb.fr> parents: 1490 diff changeset	64	session.close()
1488 6da89a703c5a add ability to login with a primary email address - no tests for now are unittest_application.py are now broken Florent <florent@secondweb.fr> parents: 0 diff changeset	65	return login
6da89a703c5a add ability to login with a primary email address - no tests for now are unittest_application.py are now broken Florent <florent@secondweb.fr> parents: 0 diff changeset	66
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	67	def authenticate(self, req, _login=None, _password=None):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	68	"""authenticate user and return corresponding user object
1488 6da89a703c5a add ability to login with a primary email address - no tests for now are unittest_application.py are now broken Florent <florent@secondweb.fr> parents: 0 diff changeset	69
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	70	:raise ExplicitLogin: if authentication is required (no authentication
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	71	info found or wrong user/password)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	72
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	73	Note: this method is violating AuthenticationManager interface by
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	74	returning a session instance instead of the user. This is expected by
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	75	the InMemoryRepositorySessionManager.
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	76	"""
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	77	if _login is not None:
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	78	login, password = _login, _password
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	79	else:
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	80	login, password = req.get_authorization()
1490 6b024694d493 add allow-email-login option Florent <florent@secondweb.fr> parents: 1488 diff changeset	81	if self.vreg.config['allow-email-login'] and '@' in (login or u''):
1488 6da89a703c5a add ability to login with a primary email address - no tests for now are unittest_application.py are now broken Florent <florent@secondweb.fr> parents: 0 diff changeset	82	login = self.login_from_email(login)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	83	if not login:
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	84	# No session and no login -> try anonymous
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	85	login, password = self.vreg.config.anonymous_user()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	86	if not login: # anonymous not authorized
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	87	raise ExplicitLogin()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	88	# remove possibly cached cursor coming from closed connection
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	89	clear_cache(req, 'cursor')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	90	cnxprops = ConnectionProperties(self.vreg.config.repo_method,
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	91	close=False, log=self.log_queries)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	92	try:
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	93	cnx = repo_connect(self.repo, login, password, cnxprops=cnxprops)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	94	except AuthenticationError:
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	95	req.set_message(req._('authentication failure'))
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	96	# restore an anonymous connection if possible
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	97	anonlogin, anonpassword = self.vreg.config.anonymous_user()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	98	if anonlogin and anonlogin != login:
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	99	cnx = repo_connect(self.repo, anonlogin, anonpassword,
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	100	cnxprops=cnxprops)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	101	self._init_cnx(cnx, anonlogin, anonpassword)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	102	else:
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	103	raise ExplicitLogin()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	104	else:
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	105	self._init_cnx(cnx, login, password)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	106	# associate the connection to the current request
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	107	req.set_connection(cnx)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	108	return cnx
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	109
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	110	def _init_cnx(self, cnx, login, password):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	111	# decorate connection
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	112	if login == self.vreg.config.anonymous_user()[0]:
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	113	cnx.anonymous_connection = True
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	114	cnx.vreg = self.vreg
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	115	cnx.login = login
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	116	cnx.password = password
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	117

author	sylvain.thenault@logilab.fr
	Tue, 05 May 2009 19:31:00 +0200
branch	tls-sprint
changeset 1699	f61402624f7b
parent 1690	e4f7d2ddc99a
child 1977	606923dff11b
permissions	-rw-r--r--