You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by br...@apache.org on 2014/10/03 21:42:15 UTC
[1/3] git commit: [#7732] (unrelated) prevent empty LDAP login from
proceeding
Repository: allura
Updated Branches:
refs/heads/db/7732 e923270e0 -> 660ec3350 (forced update)
[#7732] (unrelated) prevent empty LDAP login from proceeding
Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/660ec335
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/660ec335
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/660ec335
Branch: refs/heads/db/7732
Commit: 660ec3350a8ad80fe0a63b265d8e4235c26cc972
Parents: 9e5e71a
Author: Dave Brondsema <db...@slashdotmedia.com>
Authored: Fri Oct 3 19:26:32 2014 +0000
Committer: Dave Brondsema <db...@slashdotmedia.com>
Committed: Fri Oct 3 19:27:26 2014 +0000
----------------------------------------------------------------------
Allura/allura/lib/plugin.py | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/allura/blob/660ec335/Allura/allura/lib/plugin.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/plugin.py b/Allura/allura/lib/plugin.py
index 71ba353..78c8ba1 100644
--- a/Allura/allura/lib/plugin.py
+++ b/Allura/allura/lib/plugin.py
@@ -430,6 +430,8 @@ def ldap_conn(who=None, cred=None):
def ldap_user_dn(username):
'return a Distinguished Name for a given username'
+ if not username:
+ raise ValueError('Empty username')
return 'uid=%s,%s' % (
ldap.dn.escape_dn_chars(username),
config['auth.ldap.suffix'])
@@ -567,7 +569,11 @@ class LdapAuthenticationProvider(AuthenticationProvider):
def _validate_password(self, username, password):
'''by username'''
try:
- con = ldap_conn(ldap_user_dn(username), password)
+ ldap_user = ldap_user_dn(username)
+ except ValueError:
+ return False
+ try:
+ con = ldap_conn(ldap_user, password)
con.unbind_s()
return True
except (ldap.INVALID_CREDENTIALS, ldap.UNWILLING_TO_PERFORM, ldap.NO_SUCH_OBJECT):
[2/3] git commit: [#7732] .ini cleanup
Posted by br...@apache.org.
[#7732] .ini cleanup
Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/9e5e71a2
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/9e5e71a2
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/9e5e71a2
Branch: refs/heads/db/7732
Commit: 9e5e71a2af05290785ed3aa45b680b3dc867630d
Parents: 351d3d6
Author: Dave Brondsema <db...@slashdotmedia.com>
Authored: Fri Oct 3 03:12:22 2014 +0000
Committer: Dave Brondsema <db...@slashdotmedia.com>
Committed: Fri Oct 3 19:27:26 2014 +0000
----------------------------------------------------------------------
Allura/allura/lib/app_globals.py | 1 -
Allura/development.ini | 39 ++++-------------------------------
2 files changed, 4 insertions(+), 36 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/allura/blob/9e5e71a2/Allura/allura/lib/app_globals.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/app_globals.py b/Allura/allura/lib/app_globals.py
index 9c80253..2d5136e 100644
--- a/Allura/allura/lib/app_globals.py
+++ b/Allura/allura/lib/app_globals.py
@@ -160,7 +160,6 @@ class Globals(object):
else: # pragma no cover
log.warning('Solr config not set; using in-memory MockSOLR')
self.solr = self.solr_short_timeout = MockSOLR()
- self.use_queue = asbool(config.get('use_queue', False))
# Load login/logout urls; only used for customized logins
self.login_url = config.get('auth.login_url', '/auth/')
http://git-wip-us.apache.org/repos/asf/allura/blob/9e5e71a2/Allura/development.ini
----------------------------------------------------------------------
diff --git a/Allura/development.ini b/Allura/development.ini
index 75cded3..03fe01f 100644
--- a/Allura/development.ini
+++ b/Allura/development.ini
@@ -46,10 +46,9 @@ next=main
[app:main]
use = egg:Allura
full_stack = true
-use_queue = true
site_name = Allura
-domain = forge-allura.apache.org
+domain = localhost
base_url = http://localhost:8080
#lang = ru
@@ -147,19 +146,11 @@ user_prefs_storage.ldap.fields.display_name = cn
# Set the locations of some static resources. ("ew" stands for EasyWidgets library)
# script_name is the path that is handled by the application
# url_base is the prefix that references to the static resources should have
-no_redirect.pattern = ^/nf/\d+/_(ew|static)_/.*|^/rest/.*
-# Pages that must always be SSL even when logged out, such as ones using the login overlay
-force_ssl.pattern = ^/[a-z0-9-]+/import_project/
-# to make all pages use ssl, even when not logged in:
-# force_ssl.pattern = .
-
+# If you use a CDN, put your CDN prefix in the url_base values
ew.script_name = /nf/%(build_key)s/_ew_/
ew.url_base = /nf/%(build_key)s/_ew_/
-# ew.url_base = ://a.fsdn.com/allura/nf/%(build_key)s/_ew_/
static.script_name = /nf/%(build_key)s/_static_/
static.url_base = /nf/%(build_key)s/_static_/
-# static.url_base = ://a.fsdn.com/allura/nf/%(build_key)s/_static_/
-# cdn.url_base = //a.fsdn.com/allura
; Expires header for "static" resources served through allura (e.g. icons, attachments, /nf/tool_icon_css)
files_expires_header_secs = 1209600 ; 2 weeks
@@ -291,28 +282,6 @@ forgemail.return_path = noreply@sf.net
# no need to sleep in devel
ensure_index.sleep = 0
-# If you'd like to fine-tune the individual locations of the cache data dirs
-# for the Cache data, or the Session saves, un-comment the desired settings
-# here:
-#beaker.cache.data_dir = %(here)s/data/cache
-#beaker.session.data_dir = %(here)s/data/sessions
-
-# pick the form for your database
-# %(here) may include a ':' character on Windows environments; this can
-# invalidate the URI when specifying a SQLite db via path name
-# sqlalchemy.url=postgres://username:password@hostname:port/databasename
-# sqlalchemy.url=mysql://username:password@hostname:port/databasename
-
-
-# If you have sqlite, here's a simple default to get you started
-# in development
-
-sqlalchemy.url = sqlite:///%(here)s/devdata.db
-#echo shouldn't be used together with the logging module.
-sqlalchemy.echo = false
-sqlalchemy.echo_pool = false
-sqlalchemy.pool_recycle = 3600
-
# set this to "false" if you are deploying to production and want performance improvements
auto_reload_templates = true
@@ -334,7 +303,7 @@ user_message.max_messages = 20
[app:tool_test]
use = egg:Allura
-override_root=basetest_project_root
+override_root=basetest_project_root ; TurboGears will use controllers/basetest_project_root.py as root controller
full_stack = true
cache_dir = %(here)s/data
@@ -376,7 +345,7 @@ markdown_render_max_length = 999999999
[app:task]
use = main
-override_root = task
+override_root = task ; TurboGears will use controllers/task.py as root controller
# Logging configuration
# Add additional loggers, handlers, formatters here
[3/3] git commit: [#7732] make SSLMiddleware generic and usable
Posted by br...@apache.org.
[#7732] make SSLMiddleware generic and usable
Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/351d3d6b
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/351d3d6b
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/351d3d6b
Branch: refs/heads/db/7732
Commit: 351d3d6bf2725cca39b07772e66f3b36b25b31aa
Parents: 5536ebe
Author: Dave Brondsema <db...@slashdotmedia.com>
Authored: Fri Oct 3 03:12:03 2014 +0000
Committer: Dave Brondsema <db...@slashdotmedia.com>
Committed: Fri Oct 3 19:27:26 2014 +0000
----------------------------------------------------------------------
Allura/allura/config/middleware.py | 8 ++++----
Allura/allura/controllers/root.py | 5 ++++-
Allura/allura/lib/custom_middleware.py | 13 +++++--------
Allura/allura/lib/plugin.py | 8 +++++++-
Allura/development.ini | 16 ++++++++++++++--
5 files changed, 34 insertions(+), 16 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/allura/blob/351d3d6b/Allura/allura/config/middleware.py
----------------------------------------------------------------------
diff --git a/Allura/allura/config/middleware.py b/Allura/allura/config/middleware.py
index 91a3575..ab0d400 100644
--- a/Allura/allura/config/middleware.py
+++ b/Allura/allura/config/middleware.py
@@ -144,11 +144,11 @@ def _make_core_app(root, global_conf, full_stack=True, **app_conf):
app = CSRFMiddleware(app, '_session_id')
# Setup the allura SOPs
app = allura_globals_middleware(app)
- # Ensure https for logged in users, http for anonymous ones
- if (asbool(app_conf.get('auth.method', 'local') == 'sfx')
- and config.get('override_root') != 'task'):
+ # Ensure http and https used per config
+ if config.get('override_root') != 'task':
app = SSLMiddleware(app, app_conf.get('no_redirect.pattern'),
- app_conf.get('force_ssl.pattern'))
+ app_conf.get('force_ssl.pattern'),
+ app_conf.get('force_ssl.logged_in'))
# Setup resource manager, widget context SOP
app = ew.WidgetMiddleware(
app,
http://git-wip-us.apache.org/repos/asf/allura/blob/351d3d6b/Allura/allura/controllers/root.py
----------------------------------------------------------------------
diff --git a/Allura/allura/controllers/root.py b/Allura/allura/controllers/root.py
index f354872..e588d45 100644
--- a/Allura/allura/controllers/root.py
+++ b/Allura/allura/controllers/root.py
@@ -20,10 +20,11 @@
"""Main Controller"""
import logging
-from tg import expose, request, config
+from tg import expose, request, config, session
from tg.decorators import with_trailing_slash
from tg.flash import TGFlash
from pylons import tmpl_context as c
+from paste.deploy.converters import asbool
from allura.app import SitemapEntry
from allura.lib.base import WsgiDispatchController
@@ -89,6 +90,8 @@ class RootController(WsgiDispatchController):
'Did you run `paster setup-app` to create the database?')
if not c.user.is_anonymous():
c.user.track_active(request)
+ if asbool(config.get('force_ssl.logged_in')):
+ session.secure = True
def _cleanup_request(self):
pass
http://git-wip-us.apache.org/repos/asf/allura/blob/351d3d6b/Allura/allura/lib/custom_middleware.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py
index 981c602..1116b45 100644
--- a/Allura/allura/lib/custom_middleware.py
+++ b/Allura/allura/lib/custom_middleware.py
@@ -151,7 +151,7 @@ class SSLMiddleware(object):
'Verify the https/http schema is correct'
- def __init__(self, app, no_redirect_pattern=None, force_ssl_pattern=None):
+ def __init__(self, app, no_redirect_pattern=None, force_ssl_pattern=None, force_ssl_logged_in=False):
self.app = app
if no_redirect_pattern:
self._no_redirect_re = re.compile(no_redirect_pattern)
@@ -161,6 +161,7 @@ class SSLMiddleware(object):
self._force_ssl_re = re.compile(force_ssl_pattern)
else:
self._force_ssl_re = re.compile('$$$')
+ self._force_ssl_logged_in = force_ssl_logged_in
def __call__(self, environ, start_response):
req = Request(environ)
@@ -174,13 +175,9 @@ class SSLMiddleware(object):
resp = exc.HTTPNotFound()
secure = req.url.startswith('https://')
srv_path = req.url.split('://', 1)[-1]
- # This SFUSER check is SourceForge-specific (to require all logged-in users to use https)
- # BUT has the additional affect of not forcing SSL for regular Allura instances
- # This is important for local development, at least. When we remove SFUSER (perhaps by requiring SSL everywhere),
- # we can use `no_redirect.pattern = .` for local development to work
- # without SSL
- force_ssl = req.cookies.get(
- 'SFUSER') or self._force_ssl_re.match(environ['PATH_INFO'])
+ # allura-loggedin is a non-secure cookie as a flag to know that the user has a session over on https
+ force_ssl = (self._force_ssl_logged_in and req.cookies.get('allura-loggedin')) \
+ or self._force_ssl_re.match(environ['PATH_INFO'])
if not secure and force_ssl:
resp = exc.HTTPFound(location='https://' + srv_path)
elif secure and not force_ssl:
http://git-wip-us.apache.org/repos/asf/allura/blob/351d3d6b/Allura/allura/lib/plugin.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/plugin.py b/Allura/allura/lib/plugin.py
index 79eb1b9..71ba353 100644
--- a/Allura/allura/lib/plugin.py
+++ b/Allura/allura/lib/plugin.py
@@ -41,7 +41,7 @@ except ImportError:
ldap = modlist = None
import pkg_resources
import tg
-from tg import config, request, redirect
+from tg import config, request, redirect, response
from pylons import tmpl_context as c, app_globals as g
from webob import exc
from bson.tz_util import FixedOffset
@@ -157,6 +157,11 @@ class AuthenticationProvider(object):
g.zarkov_event('login', user=user)
g.statsUpdater.addUserLogin(user)
user.track_login(self.request)
+ # set a non-secure cookie with same expiration as session,
+ # so an http request can know if there is a related session on https
+ response.set_cookie('allura-loggedin', value='true',
+ expires=None if self.session['login_expires'] is True else self.session['login_expires'],
+ secure=False, httponly=True)
return user
except exc.HTTPUnauthorized:
self.logout()
@@ -167,6 +172,7 @@ class AuthenticationProvider(object):
self.session['username'] = None
self.session['pwd-expired'] = False
self.session.save()
+ response.delete_cookie('allura-loggedin')
def validate_password(self, user, password):
'''Check that provided password matches actual user password
http://git-wip-us.apache.org/repos/asf/allura/blob/351d3d6b/Allura/development.ini
----------------------------------------------------------------------
diff --git a/Allura/development.ini b/Allura/development.ini
index 1ecaefc..75cded3 100644
--- a/Allura/development.ini
+++ b/Allura/development.ini
@@ -60,6 +60,8 @@ cache_dir = %(here)s/data
beaker.session.key = allura
beaker.session.type = cookie
beaker.session.httponly = true
+; set this to true if you use HTTPS. If you use force_ssl.logged_in, this will be set automatically when logged in and not when not.
+beaker.session.secure = false
; CHANGE THIS VALUE FOR YOUR SITE
beaker.session.validate_key = 714bfe3612c42390726f
@@ -73,7 +75,7 @@ show_export_control = false
# auth.method = ldap
auth.method = local
-auth.remember_for = 365
+auth.remember_for = 365 ; in days, for the "remember me" checkbox on login
# auth.login_url = /auth/
# auth.logout_url = /auth/logout
# auth.login_fragment_url = /auth/login_fragment
@@ -132,7 +134,17 @@ user_prefs_storage.ldap.fields.display_name = cn
# search.project.additional_display_fields = private, url, title
# search.user.additional_display_fields = email_addresses
-# Set the locations of some static resources
+; To make all pages use ssl: (also set beaker.session.secure above)
+; force_ssl.pattern = .
+; To use ssl if and only if a user is logged in:
+; force_ssl.logged_in = true
+; If you set force_ssl.logged_in, you probably want some URLs to be ssl when logged out:
+; force_ssl.pattern = ^/auth|^/[a-z0-9-]+/import_project/ ; import_project uses a login overlay
+; And to permit some URLs to be accessed over http anyway:
+; no_redirect.pattern = ^/nf/\d+/_(ew|static)_/|^/rest/|^/nf/tool_icon_css|^/auth/refresh_repo
+
+
+# Set the locations of some static resources. ("ew" stands for EasyWidgets library)
# script_name is the path that is handled by the application
# url_base is the prefix that references to the static resources should have
no_redirect.pattern = ^/nf/\d+/_(ew|static)_/.*|^/rest/.*