Module: check_mk
Branch: master
Commit: 60ea727d1864f836d3897b88216fe18be03202fd
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=60ea727d1864f8…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Jul 21 09:19:02 2015 +0200
Some user login handling cleanups
---
web/htdocs/config.py | 5 +++
web/htdocs/html_mod_python.py | 15 +++++++--
web/htdocs/index.py | 4 +--
web/htdocs/login.py | 70 ++++++++++++++++++++++++-----------------
4 files changed, 60 insertions(+), 34 deletions(-)
diff --git a/web/htdocs/config.py b/web/htdocs/config.py
index 36d1ee5..c0333b9 100644
--- a/web/htdocs/config.py
+++ b/web/htdocs/config.py
@@ -43,6 +43,11 @@ try:
except NameError:
from sets import Set as set
+# FIXME: Make clear whether or not user related values should be part
+# of the "config" module. Maybe move to dedicated module (userdb?). Then
+# move all user related stuff there. e.g. html.user should also be moved
+# there.
+
#.
# .--Declarations--------------------------------------------------------.
# | ____ _ _ _ |
diff --git a/web/htdocs/html_mod_python.py b/web/htdocs/html_mod_python.py
index 7c3f3c3..e65b7e8 100644
--- a/web/htdocs/html_mod_python.py
+++ b/web/htdocs/html_mod_python.py
@@ -60,8 +60,11 @@ class html_mod_python(htmllib.html):
else:
return self.site_status
+ def login(self, user_id):
+ self.user = user_id
+
def is_logged_in(self):
- return self.user and type(self.user) in [ str, unicode ]
+ return self.user and type(self.user) == unicode
def load_help_visible(self):
try:
@@ -69,8 +72,14 @@ class html_mod_python(htmllib.html):
except:
pass
+
+ def get_request_header(self, key, deflt=None):
+ return self.req.headers_in.get(key, deflt)
+
+
def is_ssl_request(self):
- return self.req.headers_in.get('X-Forwarded-Proto') == 'https'
+ return self.get_request_header('X-Forwarded-Proto') == 'https'
+
def set_cookie(self, varname, value, expires = None):
# httponly tells the browser not to make this cookie available to Javascript
@@ -111,7 +120,7 @@ class html_mod_python(htmllib.html):
return config.load_user_file("buttoncounts", {})
def top_heading(self, title):
- if type(self.user) in [ str, unicode ]:
+ if self.is_logged_in():
login_text = "<b>%s</b> (%s" % (config.user_id,
"+".join(config.user_role_ids))
if self.enable_debug:
if config.get_language():
diff --git a/web/htdocs/index.py b/web/htdocs/index.py
index b8b6f3d..22497ac 100644
--- a/web/htdocs/index.py
+++ b/web/htdocs/index.py
@@ -196,8 +196,8 @@ def handler(req, fields = None, profiling = True):
if not html.is_logged_in():
config.auth_type = 'cookie'
# When not authed tell the browser to ask for the password
- html.user = login.check_auth()
- if html.user == '':
+ html.login(login.check_auth())
+ if not html.is_logged_in():
if fail_silently:
# While api call don't show the login dialog
raise MKUnauthenticatedException(_('You are not
authenticated.'))
diff --git a/web/htdocs/login.py b/web/htdocs/login.py
index 738a39a..639a9ae 100644
--- a/web/htdocs/login.py
+++ b/web/htdocs/login.py
@@ -132,42 +132,54 @@ def check_auth_cookie(cookie_name):
def check_auth_automation():
secret = html.var("_secret").strip()
- user = html.var_utf8("_username").strip()
+ user_id = html.var_utf8("_username").strip()
html.del_var('_username')
html.del_var('_secret')
- if secret and user and "/" not in user:
- path = defaults.var_dir + "/web/" + user.encode("utf-8") +
"/automation.secret"
+ if secret and user_id and "/" not in user_id:
+ path = defaults.var_dir + "/web/" + user_id.encode("utf-8") +
"/automation.secret"
if os.path.isfile(path) and file(path).read().strip() == secret:
# Auth with automation secret succeeded - mark transid as unneeded in this
case
html.set_ignore_transids()
- return user
- raise MKAuthException(_("Invalid automation secret for user %s") %
html.attrencode(user))
+ return user_id
+ raise MKAuthException(_("Invalid automation secret for user %s") %
html.attrencode(user_id))
+
+# When http header auth is enabled, try to read the user_id from the var
+# and when there is some available, set the auth cookie (for other addons) and proceed.
+def check_auth_http_header():
+ user_id = html.get_request_header(config.auth_by_http_header)
+ if user_id:
+ user_id = user_id.decode("utf-8")
+ serial = load_serial(user_id)
+ renew_cookie(site_cookie_name(), user_id, serial)
+ else:
+ user_id = None
+ return user_id
def check_auth():
+ user_id = None
if html.var("_secret"):
- return check_auth_automation()
-
- # When http header auth is enabled, try to read the username from the var
- # and when there is some available, set the auth cookie (for other addons) and
proceed.
- if config.auth_by_http_header:
- username = html.req.headers_in.get(config.auth_by_http_header,
None).decode("utf-8")
- if username:
- serial = load_serial(username)
- renew_cookie(site_cookie_name(), username, serial)
- return username
-
- for cookie_name in html.get_cookie_names():
- if cookie_name.startswith('auth_'):
- try:
- return check_auth_cookie(cookie_name)
- except Exception, e:
- #if html.enable_debug:
- # html.write('Exception occured while checking cookie %s' %
cookie_name)
- # raise
- #else:
- pass
-
- return ''
+ user_id = check_auth_automation()
+
+ elif config.auth_by_http_header:
+ user_id = check_auth_http_header()
+
+ if user_id == None:
+ for cookie_name in html.get_cookie_names():
+ if cookie_name.startswith('auth_'):
+ try:
+ user_id = check_auth_cookie(cookie_name)
+ break
+ except Exception, e:
+ #if html.enable_debug:
+ # html.write('Exception occured while checking cookie %s'
% cookie_name)
+ # raise
+ #else:
+ pass
+
+ if (user_id != None and type(user_id) != unicode) or user_id == u'':
+ raise MKInternalError(_("Invalid user authentication"))
+
+ return user_id
def do_login():
@@ -256,7 +268,7 @@ def normal_login_page(called_directly = True):
}''')
# When someone calls the login page directly and is already authed redirect to main
page
- if html.myfile == 'login' and check_auth() != '':
+ if html.myfile == 'login' and check_auth():
html.immediate_browser_redirect(0.5, origtarget and origtarget or
'index.py')
return apache.OK