Mercurial > kallithea

diff rhodecode/lib/auth.py @ 761:56c2850a5b5f beta

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
ldap auth rewrite, moved split authfunc into two functions, made ldap case insensitive for uids added some extra debug messages for ldap, and auth function added some docs for utils
author Marcin Kuzminski <marcin@python-works.com>
date Thu, 25 Nov 2010 22:58:28 +0100
parents fcd4fb51526e
children 389d02a5df52
line wrap: on
line diff
--- a/rhodecode/lib/auth.py	Thu Nov 25 22:55:10 2010 +0100
+++ b/rhodecode/lib/auth.py	Thu Nov 25 22:58:28 2010 +0100
@@ -77,38 +77,45 @@
 
 def authfunc(environ, username, password):
     """
-    Authentication function used in Mercurial/Git/ and access control,
+    Dummy authentication function used in Mercurial/Git/ and access control,
+    
+    :param environ: needed only for using in Basic auth
+    """
+    return authenticate(username, password)
+
+
+def authenticate(username, password):
+    """
+    Authentication function used for access control,
     firstly checks for db authentication then if ldap is enabled for ldap
     authentication, also creates ldap user if not in database
     
-    :param environ: needed only for using in Basic auth, can be None
     :param username: username
     :param password: password
     """
     user_model = UserModel()
     user = user_model.get_by_username(username, cache=False)
 
+    log.debug('Authenticating user using RhodeCode account')
     if user is not None and user.is_ldap is False:
         if user.active:
 
             if user.username == 'default' and user.active:
-                log.info('user %s authenticated correctly', username)
+                log.info('user %s authenticated correctly as anonymous user',
+                         username)
                 return True
 
             elif user.username == username and check_password(password, user.password):
                 log.info('user %s authenticated correctly', username)
                 return True
         else:
-            log.error('user %s is disabled', username)
-
+            log.warning('user %s is disabled', username)
 
     else:
-
-        #since ldap is searching in case insensitive check if this user is still
-        #not in our system
-        username = username.lower()
+        log.debug('Regular authentication failed')
         user_obj = user_model.get_by_username(username, cache=False,
                                             case_insensitive=True)
+
         if user_obj is not None and user_obj.is_ldap is False:
             log.debug('this user already exists as non ldap')
             return False
@@ -120,7 +127,7 @@
         # FALLBACK TO LDAP AUTH IN ENABLE                
         #======================================================================
         if ldap_settings.get('ldap_active', False):
-
+            log.debug("Authenticating user using ldap")
             kwargs = {
                   'server':ldap_settings.get('ldap_host', ''),
                   'base_dn':ldap_settings.get('ldap_base_dn', ''),
@@ -134,18 +141,17 @@
             try:
                 aldap = AuthLdap(**kwargs)
                 res = aldap.authenticate_ldap(username, password)
+                log.debug('Got ldap response %s', res)
 
-                authenticated = res[1]['uid'][0] == username
-
-                if authenticated and user_model.create_ldap(username, password):
+                if user_model.create_ldap(username, password):
                     log.info('created new ldap user')
 
-                return authenticated
-            except (LdapUsernameError, LdapPasswordError):
-                return False
-            except:
+                return True
+            except (LdapUsernameError, LdapPasswordError,):
+                pass
+            except (Exception,):
                 log.error(traceback.format_exc())
-                return False
+                pass
     return False
 
 class  AuthUser(object):