def kimchiauth(admin_methods=None):
debug("Entering kimchiauth...")
session_missing = cherrypy.session.missing
if check_auth_session():
if not has_permission(admin_methods):
raise cherrypy.HTTPError(403)
return
if check_auth_httpba():
if not has_permission(admin_methods):
raise cherrypy.HTTPError(403)
return
# not a REST full request, redirect login page directly
if ("Accept" in cherrypy.request.headers and
not template.can_accept('application/json')):
redirect_login()
# from browser, and it stays on one page.
if session_missing and cherrypy.request.cookie.get("lastPage") is not None:
raise cherrypy.HTTPError(401, "sessionTimeout")
if not from_browser():
cherrypy.response.headers['WWW-Authenticate'] = 'Basic realm=kimchi'
e = InvalidOperation('KCHAUTH0002E')
raise cherrypy.HTTPError(401, e.message.encode('utf-8'))
def get(self):
last_page = cherrypy.request.cookie.get("lastPage")
# when session timeout, only session cookie is None.
# when first login, both session and lastPage are None.
if (cherrypy.session.originalid is None and last_page is None
and not template.can_accept('application/json')
and template.can_accept_html()):
raise cherrypy.HTTPRedirect("/login.html", 303)
return self.default(self.default_page)
def get(self):
last_page = cherrypy.request.cookie.get("lastPage")
# when session timeout, only session cookie is None.
# when first login, both session and lastPage are None.
if (cherrypy.session.originalid is None and last_page is None and
not template.can_accept('application/json') and
template.can_accept_html()):
raise cherrypy.HTTPRedirect("/login.html", 303)
return self.default(self.default_page)
def kimchisession(admin_methods=None):
session = cherrypy.request.cookie.get("kimchi")
last_page = cherrypy.request.cookie.get("lastPage")
headers = cherrypy.request.headers
authheader = headers.get('AUTHORIZATION')
# when client browser first login in, both the session and lastPage cookie
# are None.
# when session timeout, only session cookie is None.
if (session is None and last_page is None and authheader is None and
("Accept" in headers and not template.can_accept('application/json'))):
redirect_login()
def login(username, password):
try:
if not authenticate(username, password):
debug("User cannot be verified with the supplied password")
return None
except PAM.error, (resp, code):
if (cherrypy.request.path_info == "/login" and
not template.can_accept('application/json')):
raise cherrypy.HTTPRedirect("/login.html?error=userPassWrong", 303)
msg_args = {'username': username, 'code': code}
raise OperationFailed("KCHAUTH0001E", msg_args)
def check_auth_httpba():
"""
REST API users may authenticate with HTTP Basic Auth. This is not allowed
for the UI because web browsers would cache the credentials and make it
impossible for the user to log out without closing their browser completely
"""
if from_browser() or not template.can_accept('application/json'):
return False
authheader = cherrypy.request.headers.get('AUTHORIZATION')
if not authheader:
debug("No authentication headers found")
return False
debug("Authheader: %s" % authheader)
# TODO: what happens if you get an auth header that doesn't use basic auth?
b64data = re.sub("Basic ", "", authheader)
decodeddata = base64.b64decode(b64data.encode("ASCII"))
# TODO: test how this handles ':' characters in username/passphrase.
username, password = decodeddata.decode().split(":", 1)
return login(username, password)
def check_auth_httpba():
"""
REST API users may authenticate with HTTP Basic Auth. This is not allowed
for the UI because web browsers would cache the credentials and make it
impossible for the user to log out without closing their browser completely
"""
if from_browser() or not template.can_accept('application/json'):
return False
authheader = cherrypy.request.headers.get('AUTHORIZATION')
if not authheader:
debug("No authentication headers found")
return False
debug("Authheader: %s" % authheader)
# TODO: what happens if you get an auth header that doesn't use basic auth?
b64data = re.sub("Basic ", "", authheader)
decodeddata = base64.b64decode(b64data.encode("ASCII"))
# TODO: test how this handles ':' characters in username/passphrase.
username, password = decodeddata.decode().split(":", 1)
return login(username, password)
def kimchiauth():
debug("Entering kimchiauth...")
session_missing = cherrypy.session.missing
if check_auth_session():
return
if check_auth_httpba():
return
# not a REST full request, redirect login page directly
if "Accept" in cherrypy.request.headers and not template.can_accept("application/json"):
redirect_login()
# from browser, and it stays on one page.
if session_missing and cherrypy.request.cookie.get("lastPage") is not None:
raise cherrypy.HTTPError(401, "sessionTimeout")
if not from_browser():
cherrypy.response.headers["WWW-Authenticate"] = "Basic realm=kimchi"
e = InvalidOperation("KCHAUTH0002E")
raise cherrypy.HTTPError(401, e.message.encode("utf-8"))
def kimchiauth():
debug("Entering kimchiauth...")
session_missing = cherrypy.session.missing
if check_auth_session():
return
if check_auth_httpba():
return
# not a REST full request, redirect login page directly
if ("Accept" in cherrypy.request.headers
and not template.can_accept('application/json')):
redirect_login()
# from browser, and it stays on one page.
if session_missing and cherrypy.request.cookie.get("lastPage") is not None:
raise cherrypy.HTTPError(401, "sessionTimeout")
if not from_browser():
cherrypy.response.headers['WWW-Authenticate'] = 'Basic realm=kimchi'
e = InvalidOperation('KCHAUTH0002E')
raise cherrypy.HTTPError(401, e.message.encode('utf-8'))