Alternative HTTP response codes when client failed to Authenticate correctly

--HG-- branch : beta
author: Marcin Kuzminski <marcin@python-works.com> 2012-03-16 23:58:05 +0200
committer: Marcin Kuzminski <marcin@python-works.com> 2012-03-16 23:58:05 +0200
commit: ef8a062e805d7aab7cd3c2006943624a6308e5bb (patch)
tree: c8ccb227431f7764879f82323363305ad635cf0c
parent: 0d11ef46a297e2745e8cf34e936cbcb6abd744c6 (diff)
5 files changed, 37 insertions, 1 deletions
diff --git a/development.ini b/development.ini
index 18ad7a35..3b4036fe 100644
--- a/development.ini
+++ b/development.ini
@@ -93,6 +93,11 @@ issue_prefix = #
 ## all running rhodecode instances. Leave empty if you don't use it
 instance_id = 
 
+## alternative return HTTP header for failed authentication. Default HTTP
+## response is 401 HTTPUnauthorized. Currently HG clients have troubles with 
+## handling that. Set this variable to 403 to return HTTPForbidden
+auth_ret_code =
+
 ####################################
 ###        CELERY CONFIG        ####
 ####################################
diff --git a/docs/changelog.rst b/docs/changelog.rst
index 45b4aca2..186bf7da 100644
--- a/docs/changelog.rst
+++ b/docs/changelog.rst
@@ -23,6 +23,8 @@ news
 - #399 added inheritance of permissions for users group on repos groups
 - #401 repository group is automatically pre-selected when adding repos 
   inside a repository group
+- added alternative HTTP 403 response when client failed to authenticate. Helps 
+  solving issues with Mercurial and LDAP
 
 fixes
 +++++
diff --git a/production.ini b/production.ini
index 4360084e..aca03ee3 100644
--- a/production.ini
+++ b/production.ini
@@ -93,6 +93,11 @@ issue_prefix = #
 ## all running rhodecode instances. Leave empty if you don't use it
 instance_id = 
 
+## alternative return HTTP header for failed authentication. Default HTTP
+## response is 401 HTTPUnauthorized. Currently HG clients have troubles with 
+## handling that. Set this variable to 403 to return HTTPForbidden
+auth_ret_code =
+
 ####################################
 ###        CELERY CONFIG        ####
 ####################################
diff --git a/rhodecode/config/deployment.ini_tmpl b/rhodecode/config/deployment.ini_tmpl
index 0c5f7925..f04b86c0 100644
--- a/rhodecode/config/deployment.ini_tmpl
+++ b/rhodecode/config/deployment.ini_tmpl
@@ -93,6 +93,11 @@ issue_prefix = #
 ## all running rhodecode instances. Leave empty if you don't use it
 instance_id = 
 
+## alternative return HTTP header for failed authentication. Default HTTP
+## response is 401 HTTPUnauthorized. Currently HG clients have troubles with 
+## handling that. Set this variable to 403 to return HTTPForbidden
+auth_ret_code =
+
 ####################################
 ###        CELERY CONFIG        ####
 ####################################
diff --git a/rhodecode/lib/base.py b/rhodecode/lib/base.py
index 27de031a..70ed9012 100644
--- a/rhodecode/lib/base.py
+++ b/rhodecode/lib/base.py
@@ -7,6 +7,8 @@ import time
 import traceback
 
 from paste.auth.basic import AuthBasicAuthenticator
+from paste.httpexceptions import HTTPUnauthorized, HTTPForbidden
+from paste.httpheaders import WWW_AUTHENTICATE
 
 from pylons import config, tmpl_context as c, request, session, url
 from pylons.controllers import WSGIController
@@ -28,6 +30,22 @@ from rhodecode.model.scm import ScmModel
 log = logging.getLogger(__name__)
 
 
+class BasicAuth(AuthBasicAuthenticator):
+
+    def __init__(self, realm, authfunc, auth_http_code=None):
+        self.realm = realm
+        self.authfunc = authfunc
+        self._rc_auth_http_code = auth_http_code
+
+    def build_authentication(self):
+        head = WWW_AUTHENTICATE.tuples('Basic realm="%s"' % self.realm)
+        if self._rc_auth_http_code and self._rc_auth_http_code == '403':
+            # return 403 if alternative http return code is specified in
+            # RhodeCode config
+            return HTTPForbidden(headers=head)
+        return HTTPUnauthorized(headers=head)
+
+
 class BaseVCSController(object):
 
     def __init__(self, application, config):
@@ -36,7 +54,8 @@ class BaseVCSController(object):
         # base path of repo locations
         self.basepath = self.config['base_path']
         #authenticate this mercurial request using authfunc
-        self.authenticate = AuthBasicAuthenticator('', authfunc)
+        self.authenticate = BasicAuth('', authfunc,
+                                      config.get('auth_ret_code'))
         self.ipaddr = '0.0.0.0'
 
     def _handle_request(self, environ, start_response):
author	Marcin Kuzminski <marcin@python-works.com>	2012-03-16 23:58:05 +0200
committer	Marcin Kuzminski <marcin@python-works.com>	2012-03-16 23:58:05 +0200
commit	ef8a062e805d7aab7cd3c2006943624a6308e5bb (patch)
tree	c8ccb227431f7764879f82323363305ad635cf0c
parent	0d11ef46a297e2745e8cf34e936cbcb6abd744c6 (diff)