Mercurial > kallithea

changeset 7481:cb472dfe807d

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
auth: drop active_from_extern from internal auth API Modules should never auth a user if the auth source knows the user is inactive. Also, it is too late and unreliable to disable users when they try to log in. There is thus no need for this concept. Only the crowd module had some traces of actual active_from_extern usage. The 'active' flag for crowd users was fully controlled from crowd. Now, Instead, just let crowd reject authentication of users that are inactive in crowd, and leave the internal Kallithea 'active' flag under admin control.
author Mads Kiilerich <mads@kiilerich.com>
date Wed, 26 Dec 2018 01:53:28 +0100
parents d22a7430999f
children c9d859a89a88
files kallithea/lib/auth_modules/__init__.py kallithea/lib/auth_modules/auth_container.py kallithea/lib/auth_modules/auth_crowd.py kallithea/lib/auth_modules/auth_internal.py kallithea/lib/auth_modules/auth_ldap.py kallithea/lib/auth_modules/auth_pam.py
diffstat 6 files changed, 6 insertions(+), 20 deletions(-) [+]
line wrap: on
line diff
--- a/kallithea/lib/auth_modules/__init__.py	Tue Dec 25 20:31:12 2018 +0100
+++ b/kallithea/lib/auth_modules/__init__.py	Wed Dec 26 01:53:28 2018 +0100
@@ -55,8 +55,6 @@
         "extern_name": "name in external source of record",
         "admin": 'True|False defines if user should be Kallithea admin',
         "active": 'True|False defines active state of user in Kallithea',
-        "active_from_extern": "True|False|None, active state from the external auth, "
-                              "None means use value from the auth plugin"
     }
 
     @property
@@ -257,18 +255,6 @@
         user_data = super(KallitheaExternalAuthPlugin, self)._authenticate(
             userobj, username, passwd, settings, **kwargs)
         if user_data is not None:
-            # maybe plugin will clean the username ?
-            # we should use the return value
-            username = user_data['username']
-            # if user is not active from our extern type we should fail to auth
-            # this can prevent from creating users in Kallithea when using
-            # external authentication, but if it's inactive user we shouldn't
-            # create that user anyway
-            if user_data['active_from_extern'] is False:
-                log.warning("User %s authenticated against %s, but is inactive",
-                            username, self.__module__)
-                return None
-
             if self.use_fake_password():
                 # Randomize the PW because we don't need it, but don't want
                 # them blank either
@@ -277,7 +263,7 @@
             log.debug('Updating or creating user info from %s plugin',
                       self.name)
             user = UserModel().create_or_update(
-                username=username,
+                username=user_data['username'],
                 password=passwd,
                 email=user_data["email"],
                 firstname=user_data["firstname"],
--- a/kallithea/lib/auth_modules/auth_container.py	Tue Dec 25 20:31:12 2018 +0100
+++ b/kallithea/lib/auth_modules/auth_container.py	Wed Dec 26 01:53:28 2018 +0100
@@ -208,7 +208,6 @@
             'email': email or '',
             'admin': admin or False,
             'active': active,
-            'active_from_extern': True,
             'extern_name': username,
         }
 
--- a/kallithea/lib/auth_modules/auth_crowd.py	Tue Dec 25 20:31:12 2018 +0100
+++ b/kallithea/lib/auth_modules/auth_crowd.py	Wed Dec 26 01:53:28 2018 +0100
@@ -218,6 +218,11 @@
         crowd_user = server.user_auth(username, password)
         log.debug("Crowd returned: \n%s", formatted_json(crowd_user))
         if not crowd_user["status"]:
+            log.error('Crowd authentication as %s returned no status', username)
+            return None
+
+        if not crowd_user.get('active'):
+            log.error('Crowd authentication as %s returned in-active user', username)
             return None
 
         res = server.user_groups(crowd_user["name"])
@@ -239,7 +244,6 @@
             'email': crowd_user["email"] or email,
             'admin': admin,
             'active': active,
-            'active_from_extern': crowd_user.get('active'), # ???
             'extern_name': crowd_user["name"],
         }
 
--- a/kallithea/lib/auth_modules/auth_internal.py	Tue Dec 25 20:31:12 2018 +0100
+++ b/kallithea/lib/auth_modules/auth_internal.py	Wed Dec 26 01:53:28 2018 +0100
@@ -79,7 +79,6 @@
             "email": userobj.email,
             "admin": userobj.admin,
             "active": userobj.active,
-            "active_from_extern": userobj.active,
             "extern_name": userobj.user_id,
         }
 
--- a/kallithea/lib/auth_modules/auth_ldap.py	Tue Dec 25 20:31:12 2018 +0100
+++ b/kallithea/lib/auth_modules/auth_ldap.py	Wed Dec 26 01:53:28 2018 +0100
@@ -352,7 +352,6 @@
                 'email': get_ldap_attr('attr_email') or email,
                 'admin': admin,
                 'active': active,
-                "active_from_extern": None,
                 'extern_name': user_dn,
             }
             log.info('user %s authenticated correctly', user_data['username'])
--- a/kallithea/lib/auth_modules/auth_pam.py	Tue Dec 25 20:31:12 2018 +0100
+++ b/kallithea/lib/auth_modules/auth_pam.py	Wed Dec 26 01:53:28 2018 +0100
@@ -128,7 +128,6 @@
             'email': email,
             'admin': admin,
             'active': active,
-            "active_from_extern": None,
             'extern_name': username,
         }