Commits

liads committed 25d8e48

Improved container-based auth support for middleware

  • Participants
  • Parent commits 2196aa2

Comments (0)

Files changed (4)

rhodecode/lib/auth.py

               user.username)
     return user
 
-def get_container_username(environ, cfg):
-    from paste.httpheaders import REMOTE_USER
-    from paste.deploy.converters import asbool
+def get_container_username(environ, config):
+    username = None
 
-    proxy_pass_enabled = asbool(cfg.get('proxypass_auth_enabled', False))
-    username = REMOTE_USER(environ)
-    
-    if not username and proxy_pass_enabled:
+    if str2bool(config.get('container_auth_enabled', False)):
+        from paste.httpheaders import REMOTE_USER
+        username = REMOTE_USER(environ)
+
+    if not username and str2bool(config.get('proxypass_auth_enabled', False)):
         username = environ.get('HTTP_X_FORWARDED_USER')
 
-    if username and proxy_pass_enabled:
+    if username:
         # Removing realm and domain from username
         username = username.partition('@')[0]
         username = username.rpartition('\\')[2]

rhodecode/lib/base.py

 from pylons.controllers import WSGIController
 from pylons.controllers.util import redirect
 from pylons.templating import render_mako as render
-from paste.deploy.converters import asbool
 
 from rhodecode import __version__
 from rhodecode.lib import str2bool
             # make sure that we update permissions each time we call controller
             api_key = request.GET.get('api_key')
             user_id = getattr(session.get('rhodecode_user'), 'user_id', None)
-            if asbool(config.get('container_auth_enabled', False)):
-                username = get_container_username(environ)
-            else:
-                username = None
+            username = get_container_username(environ, config)
+
             auth_user = AuthUser(user_id, api_key, username)
             self.rhodecode_user = c.rhodecode_user = auth_user
             if not self.rhodecode_user.is_authenticated and \

rhodecode/lib/middleware/simplegit.py

                 # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS
                 #==============================================================
 
-                if not get_container_username(environ, self.config):
+                # Attempting to retrieve username from the container
+                username = get_container_username(environ, self.config)
+
+                # If not authenticated by the container, running basic auth
+                if not username:
                     self.authenticate.realm = \
                         safe_str(self.config['rhodecode_realm'])
                     result = self.authenticate(environ)
                     if isinstance(result, str):
                         AUTH_TYPE.update(environ, 'basic')
                         REMOTE_USER.update(environ, result)
+                        username = result
                     else:
                         return result.wsgi_application(environ, start_response)
 
                 #==============================================================
-                # CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME FROM
-                # BASIC AUTH
+                # CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME
                 #==============================================================
 
                 if action in ['pull', 'push']:
-                    username = get_container_username(environ, self.config)
                     try:
                         user = self.__get_user(username)
                         if user is None or not user.active:

rhodecode/lib/middleware/simplehg.py

                 # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS
                 #==============================================================
 
-                if not get_container_username(environ, self.config):
+                # Attempting to retrieve username from the container
+                username = get_container_username(environ, self.config)
+
+                # If not authenticated by the container, running basic auth
+                if not username:
                     self.authenticate.realm = \
                         safe_str(self.config['rhodecode_realm'])
                     result = self.authenticate(environ)
                     if isinstance(result, str):
                         AUTH_TYPE.update(environ, 'basic')
                         REMOTE_USER.update(environ, result)
+                        username = result
                     else:
                         return result.wsgi_application(environ, start_response)
 
                 #==============================================================
-                # CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME FROM
-                # BASIC AUTH
+                # CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME
                 #==============================================================
 
                 if action in ['pull', 'push']:
-                    username = get_container_username(environ, self.config)
                     try:
                         user = self.__get_user(username)
                         if user is None or not user.active: