diff options
author | Marcin Kuzminski <marcin@python-works.com> | 2012-03-16 23:58:05 +0200 |
---|---|---|
committer | Marcin Kuzminski <marcin@python-works.com> | 2012-03-16 23:58:05 +0200 |
commit | ef8a062e805d7aab7cd3c2006943624a6308e5bb (patch) | |
tree | c8ccb227431f7764879f82323363305ad635cf0c | |
parent | 0d11ef46a297e2745e8cf34e936cbcb6abd744c6 (diff) |
Alternative HTTP response codes when client failed to Authenticate correctly
--HG--
branch : beta
-rw-r--r-- | development.ini | 5 | ||||
-rw-r--r-- | docs/changelog.rst | 2 | ||||
-rw-r--r-- | production.ini | 5 | ||||
-rw-r--r-- | rhodecode/config/deployment.ini_tmpl | 5 | ||||
-rw-r--r-- | rhodecode/lib/base.py | 21 |
5 files changed, 37 insertions, 1 deletions
diff --git a/development.ini b/development.ini index 18ad7a35..3b4036fe 100644 --- a/development.ini +++ b/development.ini @@ -93,6 +93,11 @@ issue_prefix = # ## all running rhodecode instances. Leave empty if you don't use it instance_id = +## alternative return HTTP header for failed authentication. Default HTTP +## response is 401 HTTPUnauthorized. Currently HG clients have troubles with +## handling that. Set this variable to 403 to return HTTPForbidden +auth_ret_code = + #################################### ### CELERY CONFIG #### #################################### diff --git a/docs/changelog.rst b/docs/changelog.rst index 45b4aca2..186bf7da 100644 --- a/docs/changelog.rst +++ b/docs/changelog.rst @@ -23,6 +23,8 @@ news - #399 added inheritance of permissions for users group on repos groups - #401 repository group is automatically pre-selected when adding repos inside a repository group +- added alternative HTTP 403 response when client failed to authenticate. Helps + solving issues with Mercurial and LDAP fixes +++++ diff --git a/production.ini b/production.ini index 4360084e..aca03ee3 100644 --- a/production.ini +++ b/production.ini @@ -93,6 +93,11 @@ issue_prefix = # ## all running rhodecode instances. Leave empty if you don't use it instance_id = +## alternative return HTTP header for failed authentication. Default HTTP +## response is 401 HTTPUnauthorized. Currently HG clients have troubles with +## handling that. Set this variable to 403 to return HTTPForbidden +auth_ret_code = + #################################### ### CELERY CONFIG #### #################################### diff --git a/rhodecode/config/deployment.ini_tmpl b/rhodecode/config/deployment.ini_tmpl index 0c5f7925..f04b86c0 100644 --- a/rhodecode/config/deployment.ini_tmpl +++ b/rhodecode/config/deployment.ini_tmpl @@ -93,6 +93,11 @@ issue_prefix = # ## all running rhodecode instances. Leave empty if you don't use it instance_id = +## alternative return HTTP header for failed authentication. Default HTTP +## response is 401 HTTPUnauthorized. Currently HG clients have troubles with +## handling that. Set this variable to 403 to return HTTPForbidden +auth_ret_code = + #################################### ### CELERY CONFIG #### #################################### diff --git a/rhodecode/lib/base.py b/rhodecode/lib/base.py index 27de031a..70ed9012 100644 --- a/rhodecode/lib/base.py +++ b/rhodecode/lib/base.py @@ -7,6 +7,8 @@ import time import traceback from paste.auth.basic import AuthBasicAuthenticator +from paste.httpexceptions import HTTPUnauthorized, HTTPForbidden +from paste.httpheaders import WWW_AUTHENTICATE from pylons import config, tmpl_context as c, request, session, url from pylons.controllers import WSGIController @@ -28,6 +30,22 @@ from rhodecode.model.scm import ScmModel log = logging.getLogger(__name__) +class BasicAuth(AuthBasicAuthenticator): + + def __init__(self, realm, authfunc, auth_http_code=None): + self.realm = realm + self.authfunc = authfunc + self._rc_auth_http_code = auth_http_code + + def build_authentication(self): + head = WWW_AUTHENTICATE.tuples('Basic realm="%s"' % self.realm) + if self._rc_auth_http_code and self._rc_auth_http_code == '403': + # return 403 if alternative http return code is specified in + # RhodeCode config + return HTTPForbidden(headers=head) + return HTTPUnauthorized(headers=head) + + class BaseVCSController(object): def __init__(self, application, config): @@ -36,7 +54,8 @@ class BaseVCSController(object): # base path of repo locations self.basepath = self.config['base_path'] #authenticate this mercurial request using authfunc - self.authenticate = AuthBasicAuthenticator('', authfunc) + self.authenticate = BasicAuth('', authfunc, + config.get('auth_ret_code')) self.ipaddr = '0.0.0.0' def _handle_request(self, environ, start_response): |