Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This implements the authentication part of the problem, and a nice avatar interface, which can deliver corporates photos, as well as gravatar Everything is integrated when possible with twisted.web.guard, which is probably the less user friendly API I have ever seen.
- Loading branch information
Pierre Tardy
committed
Mar 19, 2014
1 parent
284503d
commit 5dc80fb
Showing
21 changed files
with
846 additions
and
1,597 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
# This file is part of Buildbot. Buildbot is free software: you can | ||
# redistribute it and/or modify it under the terms of the GNU General Public | ||
# License as published by the Free Software Foundation, version 2. | ||
# | ||
# This program is distributed in the hope that it will be useful, but WITHOUT | ||
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS | ||
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more | ||
# details. | ||
# | ||
# You should have received a copy of the GNU General Public License along with | ||
# this program; if not, write to the Free Software Foundation, Inc., 51 | ||
# Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
# | ||
# Copyright Buildbot Team Members | ||
|
||
import mock | ||
import re | ||
|
||
from buildbot.test.fake import endpoint | ||
from buildbot.test.util import compat | ||
from buildbot.test.util import www | ||
from buildbot.util import json | ||
from buildbot.www import auth | ||
from twisted.internet import defer | ||
from twisted.trial import unittest | ||
|
||
|
||
class SessionConfigResource(www.WwwTestMixin, unittest.TestCase): | ||
|
||
@defer.inlineCallbacks | ||
def test_render(self): | ||
master = self.make_master(url='h:/a/b/', auth=auth.Auth()) | ||
rsrc = auth.SessionConfigResource(master) | ||
rsrc.reconfigResource(master.config) | ||
res = yield self.render_resource(rsrc, '/') | ||
exp = 'this.config = {"url": "h:/a/b/", "user": {"anonymous": true}, "auth": "auth", "port": null}' | ||
self.assertEqual(res, exp) | ||
master.session.user_infos = dict(name="me", email="me@me.org") | ||
res = yield self.render_resource(rsrc, '/') | ||
exp = 'this.config = {"url": "h:/a/b/", "user": {"email": "me@me.org", "name": "me"}, "auth": "auth", "port": null}' | ||
self.assertEqual(res, exp) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,225 @@ | ||
# This file is part of Buildbot. Buildbot is free software: you can | ||
# redistribute it and/or modify it under the terms of the GNU General Public | ||
# License as published by the Free Software Foundation, version 2. | ||
# | ||
# This program is distributed in the hope that it will be useful, but WITHOUT | ||
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS | ||
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more | ||
# details. | ||
# | ||
# You should have received a copy of the GNU General Public License along with | ||
# this program; if not, write to the Free Software Foundation, Inc., 51 | ||
# Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
# | ||
# Copyright Buildbot Team Members | ||
|
||
import re | ||
|
||
from zope.interface import implements | ||
|
||
from buildbot.util import json | ||
from buildbot.www import resource | ||
|
||
from twisted.cred.checkers import FilePasswordDB | ||
from twisted.cred.checkers import InMemoryUsernamePasswordDatabaseDontUse | ||
from twisted.cred.portal import IRealm | ||
from twisted.cred.portal import Portal | ||
from twisted.internet import defer | ||
from twisted.web.error import Error | ||
from twisted.web.guard import BasicCredentialFactory | ||
from twisted.web.guard import DigestCredentialFactory | ||
from twisted.web.guard import HTTPAuthSessionWrapper | ||
from twisted.web.resource import IResource | ||
|
||
|
||
class AuthBase(resource.ConfiguredBase): | ||
name = "auth" | ||
|
||
def __init__(self, userInfos=None): | ||
if userInfos is None: | ||
userInfos = UserInfosBase() | ||
self.userInfos = userInfos | ||
|
||
def maybeAutoLogin(self, request): | ||
return defer.succeed(False) | ||
|
||
def authenticateViaLogin(self, request): | ||
raise Error(501, "not implemented") | ||
|
||
def getLoginResource(self, master): | ||
return LoginResource(master) | ||
|
||
@defer.inlineCallbacks | ||
def getUserInfos(self, request): | ||
session = request.getSession() | ||
if self.userInfos is not None: | ||
infos = yield self.userInfos.getUserInfos(session.user_infos['username']) | ||
session.user_infos.update(infos) | ||
|
||
|
||
class UserInfosBase(resource.ConfiguredBase): | ||
name = "noinfo" | ||
|
||
def getUserInfos(self, username): | ||
return defer.succeed({'email': username}) | ||
|
||
|
||
class NoAuth(AuthBase): | ||
name = "noauth" | ||
|
||
|
||
class RemoteUserAuth(AuthBase): | ||
name = "remoteuserauth" | ||
header = "REMOTE_USER" | ||
headerRegex = re.compile(r"(?P<username>[^ @]+)@(?P<realm>[^ @]+)") | ||
|
||
def __init__(self, header=None, headerRegex=None, **kwargs): | ||
AuthBase.__init__(self, **kwargs) | ||
if header is not None: | ||
self.header = header | ||
if headerRegex is not None: | ||
self.headerRegex = headerRegex | ||
|
||
@defer.inlineCallbacks | ||
def maybeAutoLogin(self, request): | ||
header = request.getHeader(self.header) | ||
res = self.headerRegex.match(header) | ||
if res is None: | ||
raise Error(403, "http header does not match regex %s %s" % (header, | ||
self.headerRegex.pattern)) | ||
session = request.getSession() | ||
if not hasattr(session, "user_infos"): | ||
session.user_infos = dict(res.groupdict()) | ||
yield self.getUserInfos(request) | ||
defer.returnValue(True) | ||
|
||
def authenticateViaLogin(self, request): | ||
raise Error(403, "should authenticate via reverse proxy") | ||
|
||
|
||
class authRealm(object): | ||
implements(IRealm) | ||
|
||
def __init__(self, master, auth): | ||
self.auth = auth | ||
self.master = master | ||
|
||
def requestAvatar(self, avatarId, mind, *interfaces): | ||
if IResource in interfaces: | ||
return (IResource, | ||
PreAuthenticatedLoginResource(self.master, self.auth, avatarId), | ||
lambda: None) | ||
raise NotImplementedError() | ||
|
||
|
||
class TwistedICredAuthBase(AuthBase): | ||
name = "icredauth" | ||
|
||
def __init__(self, credentialFactories, checkers, **kwargs): | ||
AuthBase.__init__(self, **kwargs) | ||
self.credentialFactories = credentialFactories | ||
self.checkers = checkers | ||
|
||
def getLoginResource(self, master): | ||
return HTTPAuthSessionWrapper(Portal(authRealm(master, self), self.checkers), | ||
self.credentialFactories) | ||
|
||
|
||
class HTPasswdAuth(TwistedICredAuthBase): | ||
|
||
def __init__(self, passwdFile, **kwargs): | ||
TwistedICredAuthBase.__init__( | ||
self, | ||
[DigestCredentialFactory("md5", "buildbot"), BasicCredentialFactory("buildbot")], | ||
[FilePasswordDB(passwdFile)], | ||
**kwargs) | ||
|
||
|
||
class BasicAuth(TwistedICredAuthBase): | ||
|
||
def __init__(self, users, **kwargs): | ||
TwistedICredAuthBase.__init__( | ||
self, | ||
[DigestCredentialFactory("md5", "buildbot"), BasicCredentialFactory("buildbot")], | ||
[InMemoryUsernamePasswordDatabaseDontUse(**users)], | ||
**kwargs) | ||
|
||
|
||
class SessionConfigResource(resource.Resource): | ||
# enable reconfigResource calls | ||
needsReconfig = True | ||
|
||
def reconfigResource(self, new_config): | ||
self.config = new_config.www | ||
|
||
def render_GET(self, request): | ||
return self.asyncRenderHelper(request, self.renderConfig) | ||
|
||
@defer.inlineCallbacks | ||
def renderConfig(self, request): | ||
config = {} | ||
request.setHeader("content-type", 'text/javascript') | ||
request.setHeader("Cache-Control", "public;max-age=0") | ||
|
||
session = request.getSession() | ||
try: | ||
yield self.config['auth'].maybeAutoLogin(request) | ||
except Error, e: | ||
config["on_load_warning"] = e.message | ||
|
||
if hasattr(session, "user_infos"): | ||
config.update({"user": session.user_infos}) | ||
else: | ||
config.update({"user": {"anonymous": True}}) | ||
config.update(self.config) | ||
|
||
def toJson(obj): | ||
if isinstance(obj, object) and hasattr(obj, "getConfig"): | ||
return obj.getConfig(request) | ||
defer.returnValue("this.config = " + json.dumps(config, default=toJson)) | ||
|
||
|
||
class LoginResource(resource.Resource): | ||
# enable reconfigResource calls | ||
needsReconfig = True | ||
|
||
def reconfigResource(self, new_config): | ||
self.auth = new_config.www['auth'] | ||
|
||
def render_GET(self, request): | ||
return self.asyncRenderHelper(request, self.renderLogin) | ||
|
||
@defer.inlineCallbacks | ||
def renderLogin(self, request): | ||
yield self.auth.authenticateViaLogin(request) | ||
defer.returnValue("") | ||
|
||
|
||
class PreAuthenticatedLoginResource(LoginResource): | ||
# a LoginResource, which is already authenticated via a HTTPAuthSessionWrapper | ||
# disable reconfigResource calls | ||
needsReconfig = False | ||
|
||
def __init__(self, master, auth, username): | ||
LoginResource.__init__(self, master) | ||
self.auth = auth | ||
self.username = username | ||
|
||
@defer.inlineCallbacks | ||
def renderLogin(self, request): | ||
session = request.getSession() | ||
session.user_infos = dict(username=self.username) | ||
yield self.auth.getUserInfos(request) | ||
|
||
|
||
class LogoutResource(resource.Resource): | ||
# enable reconfigResource calls | ||
needsReconfig = True | ||
|
||
def reconfigResource(self, new_config): | ||
self.auth = new_config.www['auth'] | ||
|
||
def render_GET(self, request): | ||
session = request.getSession() | ||
session.expire() | ||
return "" |
Oops, something went wrong.