You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by jo...@apache.org on 2014/03/20 19:46:49 UTC
[01/10] git commit: [#6701] Refactored auth check
Repository: incubator-allura
Updated Branches:
refs/heads/master 7fbafb6fd -> f970d43d4
[#6701] Refactored auth check
Signed-off-by: Cory Johns <cj...@slashdotmedia.com>
Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/6cffed91
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/6cffed91
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/6cffed91
Branch: refs/heads/master
Commit: 6cffed916fb2a96ceda8c179411cc49a8281cf0f
Parents: ca6dd59
Author: Cory Johns <cj...@slashdotmedia.com>
Authored: Tue Mar 18 18:47:24 2014 +0000
Committer: Cory Johns <cj...@slashdotmedia.com>
Committed: Thu Mar 20 18:43:45 2014 +0000
----------------------------------------------------------------------
scripts/ApacheAccessHandler.py | 66 +++++++++++++++++--------------------
1 file changed, 30 insertions(+), 36 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/6cffed91/scripts/ApacheAccessHandler.py
----------------------------------------------------------------------
diff --git a/scripts/ApacheAccessHandler.py b/scripts/ApacheAccessHandler.py
index 0eeab63..5f2ffce 100644
--- a/scripts/ApacheAccessHandler.py
+++ b/scripts/ApacheAccessHandler.py
@@ -64,6 +64,8 @@ def mangle(path):
/SCM/project.neighborhood/a/b/c
'''
parts = [p for p in path.split(os.path.sep) if p]
+ if len(parts) < 4:
+ return None
scm, nbhd, proj, rest = parts[0], parts[1], parts[2], parts[3:]
parts = ['/SCM/%s.%s' % (proj, nbhd)] + rest
return '/'.join(parts)
@@ -91,60 +93,52 @@ def get_permission_name(req_path, req_query, req_method):
return 'allow_write' # TODO: Differentiate reads and write for Hg
-def handler(req):
- req.add_common_vars()
- req_path = str(req.parsed_uri[apache.URI_PATH])
- req_query = str(req.parsed_uri[apache.URI_QUERY])
+def check_repo_path(req):
+ repo_path = mangle(str(req.parsed_uri[apache.URI_PATH]))
+ return repo_path is not None
- req_passwd = req.get_basic_auth_pw()
- req_user = req.user
- req_method = req.method
- log(req, "PATH: %s QUERY: %s METHOD: %s" % (req_path, req_query, req_method))
+def check_authentication(req):
+ log(req, "USER: "+req.user)
+ return ldap_auth(req, req.user, req.get_basic_auth_pw())
- try:
- params = {'repo_path': mangle(req_path)}
- except:
- return apache.HTTP_NOT_FOUND
- if req_user:
- log(req, "USER: "+req_user)
- params['username'] = req_user
- if not ldap_auth(req, req_user, req_passwd):
- return apache.HTTP_UNAUTHORIZED
- #return apache.HTTP_FORBIDDEN
- log(req, "USER: "+req_user)
- else:
- log(req, "USER: Anonymous")
-
- url = req.get_options().get('ALLURA_PERM_URL', 'http://127.0.0.1:8080/auth/repo_permissions')
- r = requests.get(url, params=params)
+def check_permissions(req):
+ req_path = str(req.parsed_uri[apache.URI_PATH])
+ req_query = str(req.parsed_uri[apache.URI_QUERY])
+ perm_url = req.get_options().get('ALLURA_PERM_URL', 'http://127.0.0.1:8080/auth/repo_permissions')
+ r = requests.get(perm_url, params={'username': req.user, 'repo_path': mangle(req_path)})
if r.status_code != 200:
log(req, "repo_permissions return error (%d)" % r.status_code)
- return apache.HTTP_FORBIDDEN
+ return False
try:
cred = json.loads(r.content)
except Exception as ex:
log(req, "error decoding JSON %s %s" % (r.headers['content-type'], ex))
- return apache.HTTP_FORBIDDEN
+ return False
- permission = get_permission_name(req_path, req_method)
+ permission = get_permission_name(req_path, req_query, req.method)
authorized = cred.get(permission, False)
log(req, "%s -> %s -> %s -> authorized:%s" % (r.url, cred, permission, authorized))
+ return authorized
- if authorized:
- log(req, "Request ACCEPTED")
- return apache.OK
- elif req_user:
- log(req, "Request FORBIDDEN")
- return apache.HTTP_UNAUTHORIZED
- #return apache.HTTP_FORBIDDEN
- else:
- log(req, "Request UNAUTHORIZED")
+
+def handler(req):
+ req.add_common_vars()
+
+ if not check_repo_path(req):
+ return apache.HTTP_NOT_FOUND
+
+ if req.user and not check_authentication(req):
return apache.HTTP_UNAUTHORIZED
+ if not check_permissions(req):
+ return apache.HTTP_FORBIDDEN
+
+ return apache.OK
+
def accesshandler(req):
log(req, "AccessHandler")
[10/10] git commit: [#6701] Must call get_basic_auth_pw before
req.user
Posted by jo...@apache.org.
[#6701] Must call get_basic_auth_pw before req.user
Signed-off-by: Cory Johns <cj...@slashdotmedia.com>
Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/f970d43d
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/f970d43d
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/f970d43d
Branch: refs/heads/master
Commit: f970d43d4ad579ede476d97ea916c07d1a6d59ec
Parents: 496090a
Author: Cory Johns <cj...@slashdotmedia.com>
Authored: Wed Mar 19 20:20:42 2014 +0000
Committer: Cory Johns <cj...@slashdotmedia.com>
Committed: Thu Mar 20 18:45:32 2014 +0000
----------------------------------------------------------------------
scripts/ApacheAccessHandler.py | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/f970d43d/scripts/ApacheAccessHandler.py
----------------------------------------------------------------------
diff --git a/scripts/ApacheAccessHandler.py b/scripts/ApacheAccessHandler.py
index 6575a6f..69e1d62 100644
--- a/scripts/ApacheAccessHandler.py
+++ b/scripts/ApacheAccessHandler.py
@@ -91,10 +91,13 @@ def check_repo_path(req):
def check_authentication(req):
+ password = req.get_basic_auth_pw() # MUST be called before req.user
+ username = req.user
+ log(req, "checking auth for: %s" % username)
auth_url = req.get_options().get('ALLURA_AUTH_URL', 'https://127.0.0.1/auth/do_login')
r = requests.post(auth_url, allow_redirects=False, data={
- 'username': req.user,
- 'password': req.get_basic_auth_pw(),
+ 'username': username,
+ 'password': password,
'return_to': '/login_successful'})
return r.status_code == 302 and r.headers['location'].endswith('/login_successful')
[09/10] git commit: [#6701] Added support for virtualenv to
ApacheAccessHandler
Posted by jo...@apache.org.
[#6701] Added support for virtualenv to ApacheAccessHandler
Signed-off-by: Cory Johns <cj...@slashdotmedia.com>
Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/4c90effb
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/4c90effb
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/4c90effb
Branch: refs/heads/master
Commit: 4c90effbd0bef38f62aa2aa2dae32dcb2fcd6e97
Parents: a71aa70
Author: Cory Johns <cj...@slashdotmedia.com>
Authored: Tue Mar 18 22:49:45 2014 +0000
Committer: Cory Johns <cj...@slashdotmedia.com>
Committed: Thu Mar 20 18:43:46 2014 +0000
----------------------------------------------------------------------
scripts/ApacheAccessHandler.py | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/4c90effb/scripts/ApacheAccessHandler.py
----------------------------------------------------------------------
diff --git a/scripts/ApacheAccessHandler.py b/scripts/ApacheAccessHandler.py
index 585c6b2..946898b 100644
--- a/scripts/ApacheAccessHandler.py
+++ b/scripts/ApacheAccessHandler.py
@@ -22,6 +22,7 @@ Here is a quick example for your apache settings (assuming ProxyPass)
AuthBasicAuthoritative off
PythonOption ALLURA_PERM_URL https://127.0.0.1/auth/repo_permissions
PythonOption ALLURA_AUTH_URL https://127.0.0.1/auth/do_login
+ PythonOption ALLURA_VIRTUALENV /var/local/env-allura
</Location>
"""
@@ -29,14 +30,26 @@ Here is a quick example for your apache settings (assuming ProxyPass)
from mod_python import apache
import os
-import requests
import json
+requests = None # will be imported on demand, to allow for virtualenv
+
+
def log(req, message):
req.log_error("Allura Access: %s" % message, apache.APLOG_WARNING)
+def load_requests_lib(req):
+ virtualenv_path = req.get_options().get('ALLURA_VIRTUALENV', None)
+ if virtualenv_path:
+ activate_this = '%s/bin/activate_this.py' % virtualenv_path
+ execfile(activate_this, {'__file__': activate_this})
+ global requests
+ import requests as requests_lib
+ requests = requests_lib
+
+
# This came straight from accessfs.py
def mangle(path):
'''Convert paths from the form /SCM/neighborhood/project/a/b/c to
@@ -109,6 +122,7 @@ def check_permissions(req):
def handler(req):
+ load_requests_lib(req)
req.add_common_vars()
if not check_repo_path(req):
[03/10] git commit: [#6701] Added access handler submitted by Rui
Ferreira
Posted by jo...@apache.org.
[#6701] Added access handler submitted by Rui Ferreira
Signed-off-by: Cory Johns <cj...@slashdotmedia.com>
Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/eb831c65
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/eb831c65
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/eb831c65
Branch: refs/heads/master
Commit: eb831c658ca948ae5b64c1361d9dc2441ac29093
Parents: 7fbafb6
Author: Cory Johns <cj...@slashdotmedia.com>
Authored: Tue Mar 18 16:05:13 2014 +0000
Committer: Cory Johns <cj...@slashdotmedia.com>
Committed: Thu Mar 20 18:43:45 2014 +0000
----------------------------------------------------------------------
scripts/ApacheAccessHandler.py | 158 ++++++++++++++++++++++++++++++++++++
1 file changed, 158 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/eb831c65/scripts/ApacheAccessHandler.py
----------------------------------------------------------------------
diff --git a/scripts/ApacheAccessHandler.py b/scripts/ApacheAccessHandler.py
new file mode 100644
index 0000000..99d05ef
--- /dev/null
+++ b/scripts/ApacheAccessHandler.py
@@ -0,0 +1,158 @@
+"""
+An Apache authorization handler for Allura
+
+* This needs python-requests in the modpython path
+* Check fuse/accessfs.py for more details on the path mangling
+ magic
+
+Here is a quick example for your apache settings (assuming ProxyPass)
+
+ SetEnv GIT_PROJECT_ROOT /opt/allura/scm/git
+ SetEnv GIT_HTTP_EXPORT_ALL
+ ProxyPass /git/ !
+ ScriptAlias /git/ /usr/lib/git-core/git-http-backend/
+
+ <Location "/git/">
+ AddHandler mod_python .py
+ PythonAccessHandler /path/to/ApacheAccessHandler.py
+ PythonDebug On
+
+ AuthType Basic
+ AuthName "Git Access"
+ AuthBasicAuthoritative off
+ PythonOption ALLURA_PERM_URL http://127.0.0.1:8080/auth/repo_permissions
+ PythonOption ALLURA_LDAP_BASE ou=people,dc=opensourceprojects,dc=eu
+ </Location>
+
+"""
+
+
+from mod_python import apache
+import re
+import os
+# because urllib is not for humans
+import requests
+import json
+import ldap
+
+
+def log(req, message):
+ req.log_error("Allura Access: %s" % message, apache.APLOG_WARNING)
+
+
+def ldap_auth(req, username, password):
+ """
+ Return True if the user was authenticated via LDAP
+ """
+
+ l = ldap.initialize('ldap://127.0.0.1')
+ l.protocol_version = ldap.VERSION3
+ ldap_user = "uid=%s,%s" % (username, req.get_options().get('ALLURA_LDAP_BASE', 'ou=people,dc=example,dc=com'))
+
+ try:
+ l.simple_bind_s(ldap_user, password)
+ except ldap.LDAPError as e:
+ log(req, "Unable to authenticate user, %s %s" % (ldap_user, e))
+ return False
+ log(req, "LDAP user authenticated %s" % ldap_user)
+
+ return True
+
+
+# This came straight from accessfs.py
+def mangle(path):
+ '''Convert paths from the form /SCM/neighborhood/project/a/b/c to
+ /SCM/project.neighborhood/a/b/c
+ '''
+ parts = [p for p in path.split(os.path.sep) if p]
+ scm, nbhd, proj, rest = parts[0], parts[1], parts[2], parts[3:]
+ parts = ['/SCM/%s.%s' % (proj, nbhd)] + rest
+ return '/'.join(parts)
+
+
+def handler(req):
+ req.add_common_vars()
+ req_path = str(req.parsed_uri[apache.URI_PATH])
+ req_query = str(req.parsed_uri[apache.URI_QUERY])
+
+ req_passwd = req.get_basic_auth_pw()
+ req_user = req.user
+ req_method = req.method
+
+ log(req, "PATH: %s QUERY: %s METHOD: %s" % (req_path, req_query, req_method))
+
+ try:
+ params = {'repo_path': mangle(req_path)}
+ except:
+ return apache.HTTP_NOT_FOUND
+
+ if req_user:
+ log(req, "USER: "+req_user)
+ params['username'] = req_user
+ if not ldap_auth(req, req.user, req_passwd):
+ return apache.HTTP_UNAUTHORIZED
+ #return apache.HTTP_FORBIDDEN
+ log(req, "USER: "+req.user)
+ else:
+ log(req, "USER: Anonymous")
+
+ url = req.get_options().get('ALLURA_PERM_URL', 'http://127.0.0.1:8080/auth/repo_permissions')
+ r = requests.get(url, params=params)
+ if r.status_code != 200:
+ log(req, "repo_permissions return error (%d)" % r.status_code)
+ return apache.HTTP_FORBIDDEN
+
+ try:
+ cred = json.loads(r.content)
+ except Exception as ex:
+ log(req, "error decoding JSON %s %s" % (r.headers['content-type'], ex))
+ return apache.HTTP_FORBIDDEN
+
+ #
+ # Distinguish READ and WRITE
+ #
+ # TODO: HG
+ #
+
+ authorized = False
+ # GIT
+ if re.match('^/git/.*', req_path):
+ if re.match('.*/git-receive-pack', req_path) or re.match('service=git-receive-pack', req_query):
+ # Write access
+ log(req, "Request is GIT Auth Write")
+ authorized = cred.get('allow_write', False)
+ else:
+ # Read access
+ log(req, "Request is GIT Auth READ")
+ authorized = cred.get('allow_read', False)
+ # SVN
+ if re.match('^/svn/.*', req_path):
+ if req_method in ('MKACTIVITY', 'PROPPATCH', 'PUT', 'CHECKOUT', 'MKCOL',
+ 'MOVE', 'COPY', 'DELETE', 'LOCK', 'UNLOCK', 'MERGE', 'POST'):
+ # Write access
+ log(req, "Request is SVN Auth WRITE")
+ authorized = cred.get('allow_write', False)
+ elif req_method in ("GET", "PROPFIND", "OPTIONS", "REPORT"):
+ # Read access
+ log(req, "Request is SVN Auth READ")
+ authorized = cred.get('allow_read', False)
+ else:
+ log(req, "Request is SVN unknown %s" % req_method)
+
+ log(req, "%s -> %s -> authorized:%s" % (r.url, cred, authorized))
+
+ if authorized:
+ log(req, "Request ACCEPTED")
+ return apache.OK
+ elif req.user:
+ log(req, "Request FORBIDDEN")
+ return apache.HTTP_UNAUTHORIZED
+ #return apache.HTTP_FORBIDDEN
+ else:
+ log(req, "Request UNAUTHORIZED")
+ return apache.HTTP_UNAUTHORIZED
+
+
+def accesshandler(req):
+ log(req, "AccessHandler")
+ return handler(req)
[08/10] git commit: [#6701] Don't send usernames and passwords in the
URI (ends up in logs)
Posted by jo...@apache.org.
[#6701] Don't send usernames and passwords in the URI (ends up in logs)
Signed-off-by: Cory Johns <cj...@slashdotmedia.com>
Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/496090ad
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/496090ad
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/496090ad
Branch: refs/heads/master
Commit: 496090ad39002e3956decd6a2c6c02b295841669
Parents: bb8a81b
Author: Cory Johns <cj...@slashdotmedia.com>
Authored: Wed Mar 19 20:01:51 2014 +0000
Committer: Cory Johns <cj...@slashdotmedia.com>
Committed: Thu Mar 20 18:43:46 2014 +0000
----------------------------------------------------------------------
scripts/ApacheAccessHandler.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/496090ad/scripts/ApacheAccessHandler.py
----------------------------------------------------------------------
diff --git a/scripts/ApacheAccessHandler.py b/scripts/ApacheAccessHandler.py
index 390dca3..6575a6f 100644
--- a/scripts/ApacheAccessHandler.py
+++ b/scripts/ApacheAccessHandler.py
@@ -92,7 +92,7 @@ def check_repo_path(req):
def check_authentication(req):
auth_url = req.get_options().get('ALLURA_AUTH_URL', 'https://127.0.0.1/auth/do_login')
- r = requests.post(auth_url, allow_redirects=False, params={
+ r = requests.post(auth_url, allow_redirects=False, data={
'username': req.user,
'password': req.get_basic_auth_pw(),
'return_to': '/login_successful'})
[07/10] git commit: [#6701] Improve reliability of auth check
Posted by jo...@apache.org.
[#6701] Improve reliability of auth check
Signed-off-by: Cory Johns <cj...@slashdotmedia.com>
Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/a71aa702
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/a71aa702
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/a71aa702
Branch: refs/heads/master
Commit: a71aa702e39696a5d40eb6fb3ade7dc7739d7429
Parents: 0bbf17d
Author: Cory Johns <cj...@slashdotmedia.com>
Authored: Tue Mar 18 21:35:43 2014 +0000
Committer: Cory Johns <cj...@slashdotmedia.com>
Committed: Thu Mar 20 18:43:46 2014 +0000
----------------------------------------------------------------------
scripts/ApacheAccessHandler.py | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/a71aa702/scripts/ApacheAccessHandler.py
----------------------------------------------------------------------
diff --git a/scripts/ApacheAccessHandler.py b/scripts/ApacheAccessHandler.py
index 19c5207..585c6b2 100644
--- a/scripts/ApacheAccessHandler.py
+++ b/scripts/ApacheAccessHandler.py
@@ -81,8 +81,9 @@ def check_authentication(req):
auth_url = req.get_options().get('ALLURA_AUTH_URL', 'https://127.0.0.1/auth/do_login')
r = requests.post(auth_url, allow_redirects=False, params={
'username': req.user,
- 'password': req.get_basic_auth_pw()})
- return r.status_code == 302
+ 'password': req.get_basic_auth_pw(),
+ 'return_to': '/login_successful'})
+ return r.status_code == 302 and r.headers['location'].endswith('/login_successful')
def check_permissions(req):
[06/10] git commit: [#3815] Render return_to field on login form
Posted by jo...@apache.org.
[#3815] Render return_to field on login form
Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/0bbf17d7
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/0bbf17d7
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/0bbf17d7
Branch: refs/heads/master
Commit: 0bbf17d749799fafe3df4de0c154d4bd34a99626
Parents: c7fe047
Author: Cory Johns <cj...@slashdotmedia.com>
Authored: Tue Mar 18 21:33:12 2014 +0000
Committer: Cory Johns <cj...@slashdotmedia.com>
Committed: Thu Mar 20 18:43:46 2014 +0000
----------------------------------------------------------------------
Allura/allura/lib/widgets/auth_widgets.py | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/0bbf17d7/Allura/allura/lib/widgets/auth_widgets.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/widgets/auth_widgets.py b/Allura/allura/lib/widgets/auth_widgets.py
index f97c976..034da45 100644
--- a/Allura/allura/lib/widgets/auth_widgets.py
+++ b/Allura/allura/lib/widgets/auth_widgets.py
@@ -37,7 +37,8 @@ class LoginForm(ForgeForm):
def fields(self):
fields = [
ew.TextField(name='username', label='Username'),
- ew.PasswordField(name='password', label='Password')
+ ew.PasswordField(name='password', label='Password'),
+ ew.HiddenField(name='return_to'),
]
if plugin.AuthenticationProvider.get(request).forgotten_password_process:
# only show link if auth provider has method of recovering password
@@ -45,9 +46,6 @@ class LoginForm(ForgeForm):
ew.HTMLField(name='link', text='<a href="forgotten_password">Forgot password?</a>'))
return fields
- class hidden_fields(ew_core.NameList):
- return_to = ew.HiddenField()
-
@validator
def validate(self, value, state=None):
try:
[02/10] git commit: [#6701] Refactored permission handling
Posted by jo...@apache.org.
[#6701] Refactored permission handling
Signed-off-by: Cory Johns <cj...@slashdotmedia.com>
Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/ca6dd597
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/ca6dd597
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/ca6dd597
Branch: refs/heads/master
Commit: ca6dd59747083738c54453bed685781ef01cf0a5
Parents: eb831c6
Author: Cory Johns <cj...@slashdotmedia.com>
Authored: Tue Mar 18 16:28:30 2014 +0000
Committer: Cory Johns <cj...@slashdotmedia.com>
Committed: Thu Mar 20 18:43:45 2014 +0000
----------------------------------------------------------------------
scripts/ApacheAccessHandler.py | 63 +++++++++++++++++--------------------
1 file changed, 28 insertions(+), 35 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/ca6dd597/scripts/ApacheAccessHandler.py
----------------------------------------------------------------------
diff --git a/scripts/ApacheAccessHandler.py b/scripts/ApacheAccessHandler.py
index 99d05ef..0eeab63 100644
--- a/scripts/ApacheAccessHandler.py
+++ b/scripts/ApacheAccessHandler.py
@@ -28,7 +28,6 @@ Here is a quick example for your apache settings (assuming ProxyPass)
from mod_python import apache
-import re
import os
# because urllib is not for humans
import requests
@@ -70,6 +69,28 @@ def mangle(path):
return '/'.join(parts)
+def get_permission_name(req_path, req_query, req_method):
+ """
+ Determine whether the request is trying to read or write,
+ and return the name of the appropriate permission to check.
+ """
+ if req_path.startswith('/git/'):
+ if req_path.endswith('/git-receive-pack') or 'service=git-receive-pack' in req_query:
+ return 'allow_write'
+ else:
+ return 'allow_read'
+ elif req_path.startswith('/svn/'):
+ if req_method in ('MKACTIVITY', 'PROPPATCH', 'PUT', 'CHECKOUT', 'MKCOL',
+ 'MOVE', 'COPY', 'DELETE', 'LOCK', 'UNLOCK', 'MERGE', 'POST'):
+ return 'allow_write'
+ elif req_method in ("GET", "PROPFIND", "OPTIONS", "REPORT"):
+ return 'allow_read'
+ else:
+ return 'allow_write' # default to requiring write permission
+ elif req_path.startswith('/hg/'):
+ return 'allow_write' # TODO: Differentiate reads and write for Hg
+
+
def handler(req):
req.add_common_vars()
req_path = str(req.parsed_uri[apache.URI_PATH])
@@ -89,10 +110,10 @@ def handler(req):
if req_user:
log(req, "USER: "+req_user)
params['username'] = req_user
- if not ldap_auth(req, req.user, req_passwd):
+ if not ldap_auth(req, req_user, req_passwd):
return apache.HTTP_UNAUTHORIZED
#return apache.HTTP_FORBIDDEN
- log(req, "USER: "+req.user)
+ log(req, "USER: "+req_user)
else:
log(req, "USER: Anonymous")
@@ -108,43 +129,15 @@ def handler(req):
log(req, "error decoding JSON %s %s" % (r.headers['content-type'], ex))
return apache.HTTP_FORBIDDEN
- #
- # Distinguish READ and WRITE
- #
- # TODO: HG
- #
-
- authorized = False
- # GIT
- if re.match('^/git/.*', req_path):
- if re.match('.*/git-receive-pack', req_path) or re.match('service=git-receive-pack', req_query):
- # Write access
- log(req, "Request is GIT Auth Write")
- authorized = cred.get('allow_write', False)
- else:
- # Read access
- log(req, "Request is GIT Auth READ")
- authorized = cred.get('allow_read', False)
- # SVN
- if re.match('^/svn/.*', req_path):
- if req_method in ('MKACTIVITY', 'PROPPATCH', 'PUT', 'CHECKOUT', 'MKCOL',
- 'MOVE', 'COPY', 'DELETE', 'LOCK', 'UNLOCK', 'MERGE', 'POST'):
- # Write access
- log(req, "Request is SVN Auth WRITE")
- authorized = cred.get('allow_write', False)
- elif req_method in ("GET", "PROPFIND", "OPTIONS", "REPORT"):
- # Read access
- log(req, "Request is SVN Auth READ")
- authorized = cred.get('allow_read', False)
- else:
- log(req, "Request is SVN unknown %s" % req_method)
+ permission = get_permission_name(req_path, req_method)
+ authorized = cred.get(permission, False)
- log(req, "%s -> %s -> authorized:%s" % (r.url, cred, authorized))
+ log(req, "%s -> %s -> %s -> authorized:%s" % (r.url, cred, permission, authorized))
if authorized:
log(req, "Request ACCEPTED")
return apache.OK
- elif req.user:
+ elif req_user:
log(req, "Request FORBIDDEN")
return apache.HTTP_UNAUTHORIZED
#return apache.HTTP_FORBIDDEN
[04/10] git commit: [#6701] Return 401 Unauthorized instead of 403
Forbidden when anonymous access is denied to force client to prompt for auth
Posted by jo...@apache.org.
[#6701] Return 401 Unauthorized instead of 403 Forbidden when anonymous access is denied to force client to prompt for auth
Signed-off-by: Cory Johns <cj...@slashdotmedia.com>
Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/bb8a81bc
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/bb8a81bc
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/bb8a81bc
Branch: refs/heads/master
Commit: bb8a81bc4d9796f3e05a789e9003f427a393f0a3
Parents: 4c90eff
Author: Cory Johns <cj...@slashdotmedia.com>
Authored: Wed Mar 19 15:11:50 2014 +0000
Committer: Cory Johns <cj...@slashdotmedia.com>
Committed: Thu Mar 20 18:43:46 2014 +0000
----------------------------------------------------------------------
scripts/ApacheAccessHandler.py | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/bb8a81bc/scripts/ApacheAccessHandler.py
----------------------------------------------------------------------
diff --git a/scripts/ApacheAccessHandler.py b/scripts/ApacheAccessHandler.py
index 946898b..390dca3 100644
--- a/scripts/ApacheAccessHandler.py
+++ b/scripts/ApacheAccessHandler.py
@@ -128,10 +128,14 @@ def handler(req):
if not check_repo_path(req):
return apache.HTTP_NOT_FOUND
- if req.user and not check_authentication(req):
+ authenticated = check_authentication(req)
+ if req.user and not authenticated:
return apache.HTTP_UNAUTHORIZED
- if not check_permissions(req):
+ authorized = check_permissions(req)
+ if not req.user and not authorized:
+ return apache.HTTP_UNAUTHORIZED
+ elif not authorized:
return apache.HTTP_FORBIDDEN
return apache.OK
[05/10] git commit: [#6701] Changed ApacheAccessHandler.py to use
Allura auth via requests
Posted by jo...@apache.org.
[#6701] Changed ApacheAccessHandler.py to use Allura auth via requests
Signed-off-by: Cory Johns <cj...@slashdotmedia.com>
Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/c7fe0470
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/c7fe0470
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/c7fe0470
Branch: refs/heads/master
Commit: c7fe0470fa0f7bf61c1e42de8702842aa2eb3bbc
Parents: 6cffed9
Author: Cory Johns <cj...@slashdotmedia.com>
Authored: Tue Mar 18 20:35:26 2014 +0000
Committer: Cory Johns <cj...@slashdotmedia.com>
Committed: Thu Mar 20 18:43:46 2014 +0000
----------------------------------------------------------------------
scripts/ApacheAccessHandler.py | 34 ++++++++--------------------------
1 file changed, 8 insertions(+), 26 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/c7fe0470/scripts/ApacheAccessHandler.py
----------------------------------------------------------------------
diff --git a/scripts/ApacheAccessHandler.py b/scripts/ApacheAccessHandler.py
index 5f2ffce..19c5207 100644
--- a/scripts/ApacheAccessHandler.py
+++ b/scripts/ApacheAccessHandler.py
@@ -20,8 +20,8 @@ Here is a quick example for your apache settings (assuming ProxyPass)
AuthType Basic
AuthName "Git Access"
AuthBasicAuthoritative off
- PythonOption ALLURA_PERM_URL http://127.0.0.1:8080/auth/repo_permissions
- PythonOption ALLURA_LDAP_BASE ou=people,dc=opensourceprojects,dc=eu
+ PythonOption ALLURA_PERM_URL https://127.0.0.1/auth/repo_permissions
+ PythonOption ALLURA_AUTH_URL https://127.0.0.1/auth/do_login
</Location>
"""
@@ -29,35 +29,14 @@ Here is a quick example for your apache settings (assuming ProxyPass)
from mod_python import apache
import os
-# because urllib is not for humans
import requests
import json
-import ldap
def log(req, message):
req.log_error("Allura Access: %s" % message, apache.APLOG_WARNING)
-def ldap_auth(req, username, password):
- """
- Return True if the user was authenticated via LDAP
- """
-
- l = ldap.initialize('ldap://127.0.0.1')
- l.protocol_version = ldap.VERSION3
- ldap_user = "uid=%s,%s" % (username, req.get_options().get('ALLURA_LDAP_BASE', 'ou=people,dc=example,dc=com'))
-
- try:
- l.simple_bind_s(ldap_user, password)
- except ldap.LDAPError as e:
- log(req, "Unable to authenticate user, %s %s" % (ldap_user, e))
- return False
- log(req, "LDAP user authenticated %s" % ldap_user)
-
- return True
-
-
# This came straight from accessfs.py
def mangle(path):
'''Convert paths from the form /SCM/neighborhood/project/a/b/c to
@@ -99,14 +78,17 @@ def check_repo_path(req):
def check_authentication(req):
- log(req, "USER: "+req.user)
- return ldap_auth(req, req.user, req.get_basic_auth_pw())
+ auth_url = req.get_options().get('ALLURA_AUTH_URL', 'https://127.0.0.1/auth/do_login')
+ r = requests.post(auth_url, allow_redirects=False, params={
+ 'username': req.user,
+ 'password': req.get_basic_auth_pw()})
+ return r.status_code == 302
def check_permissions(req):
req_path = str(req.parsed_uri[apache.URI_PATH])
req_query = str(req.parsed_uri[apache.URI_QUERY])
- perm_url = req.get_options().get('ALLURA_PERM_URL', 'http://127.0.0.1:8080/auth/repo_permissions')
+ perm_url = req.get_options().get('ALLURA_PERM_URL', 'https://127.0.0.1/auth/repo_permissions')
r = requests.get(perm_url, params={'username': req.user, 'repo_path': mangle(req_path)})
if r.status_code != 200:
log(req, "repo_permissions return error (%d)" % r.status_code)