|
|
|
@ -23,9 +23,11 @@ from functools import wraps
|
|
|
|
|
from sqlalchemy.sql.expression import func
|
|
|
|
|
from werkzeug.security import check_password_hash
|
|
|
|
|
from flask_login import login_required, login_user
|
|
|
|
|
from flask import request, Response
|
|
|
|
|
|
|
|
|
|
from . import lm, ub, config, constants, services
|
|
|
|
|
from . import lm, ub, config, constants, services, logger
|
|
|
|
|
|
|
|
|
|
log = logger.create()
|
|
|
|
|
|
|
|
|
|
def login_required_if_no_ano(func):
|
|
|
|
|
@wraps(func)
|
|
|
|
@ -36,6 +38,47 @@ def login_required_if_no_ano(func):
|
|
|
|
|
|
|
|
|
|
return decorated_view
|
|
|
|
|
|
|
|
|
|
def requires_basic_auth_if_no_ano(f):
|
|
|
|
|
@wraps(f)
|
|
|
|
|
def decorated(*args, **kwargs):
|
|
|
|
|
auth = request.authorization
|
|
|
|
|
if config.config_anonbrowse != 1:
|
|
|
|
|
if not auth or auth.type != 'basic' or not check_auth(auth.username, auth.password):
|
|
|
|
|
return authenticate()
|
|
|
|
|
print("opds_requires_basic_auth")
|
|
|
|
|
user = load_user_from_auth_header(auth.username, auth.password)
|
|
|
|
|
if not user:
|
|
|
|
|
return None
|
|
|
|
|
login_user(user)
|
|
|
|
|
return f(*args, **kwargs)
|
|
|
|
|
if config.config_login_type == constants.LOGIN_LDAP and services.ldap and config.config_anonbrowse != 1:
|
|
|
|
|
return services.ldap.basic_auth_required(f)
|
|
|
|
|
|
|
|
|
|
return decorated
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def check_auth(username, password):
|
|
|
|
|
try:
|
|
|
|
|
username = username.encode('windows-1252')
|
|
|
|
|
except UnicodeEncodeError:
|
|
|
|
|
username = username.encode('utf-8')
|
|
|
|
|
user = ub.session.query(ub.User).filter(func.lower(ub.User.name) ==
|
|
|
|
|
username.decode('utf-8').lower()).first()
|
|
|
|
|
if bool(user and check_password_hash(str(user.password), password)):
|
|
|
|
|
return True
|
|
|
|
|
else:
|
|
|
|
|
ip_address = request.headers.get('X-Forwarded-For', request.remote_addr)
|
|
|
|
|
log.warning('OPDS Login failed for user "%s" IP-address: %s', username.decode('utf-8'), ip_address)
|
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def authenticate():
|
|
|
|
|
return Response(
|
|
|
|
|
'Could not verify your access level for that URL.\n'
|
|
|
|
|
'You have to login with proper credentials', 401,
|
|
|
|
|
{'WWW-Authenticate': 'Basic realm="Login Required"'})
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def _fetch_user_by_name(username):
|
|
|
|
|
return ub.session.query(ub.User).filter(func.lower(ub.User.name) == username.lower()).first()
|
|
|
|
@ -43,11 +86,13 @@ def _fetch_user_by_name(username):
|
|
|
|
|
|
|
|
|
|
@lm.user_loader
|
|
|
|
|
def load_user(user_id):
|
|
|
|
|
print("load_user: {}".format(user_id))
|
|
|
|
|
return ub.session.query(ub.User).filter(ub.User.id == int(user_id)).first()
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@lm.request_loader
|
|
|
|
|
def load_user_from_request(request):
|
|
|
|
|
print("load_from_request")
|
|
|
|
|
if config.config_allow_reverse_proxy_header_login:
|
|
|
|
|
rp_header_name = config.config_reverse_proxy_login_header_name
|
|
|
|
|
if rp_header_name:
|
|
|
|
@ -58,30 +103,33 @@ def load_user_from_request(request):
|
|
|
|
|
login_user(user)
|
|
|
|
|
return user
|
|
|
|
|
|
|
|
|
|
auth_header = request.headers.get("Authorization")
|
|
|
|
|
if auth_header:
|
|
|
|
|
user = load_user_from_auth_header(auth_header)
|
|
|
|
|
if user:
|
|
|
|
|
return user
|
|
|
|
|
|
|
|
|
|
return
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def load_user_from_auth_header(header_val):
|
|
|
|
|
if header_val.startswith('Basic '):
|
|
|
|
|
header_val = header_val.replace('Basic ', '', 1)
|
|
|
|
|
basic_username = basic_password = '' # nosec
|
|
|
|
|
try:
|
|
|
|
|
header_val = base64.b64decode(header_val).decode('utf-8')
|
|
|
|
|
# Users with colon are invalid: rfc7617 page 4
|
|
|
|
|
basic_username = header_val.split(':', 1)[0]
|
|
|
|
|
basic_password = header_val.split(':', 1)[1]
|
|
|
|
|
except (TypeError, UnicodeDecodeError, binascii.Error):
|
|
|
|
|
pass
|
|
|
|
|
#auth_header = request.headers.get("Authorization")
|
|
|
|
|
#if auth_header:
|
|
|
|
|
# user = load_user_from_auth_header(auth_header)
|
|
|
|
|
# if user:
|
|
|
|
|
# login_user(user)
|
|
|
|
|
# return user
|
|
|
|
|
|
|
|
|
|
return None
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def load_user_from_auth_header(basic_username, basic_password):
|
|
|
|
|
#if header_val.startswith('Basic '):
|
|
|
|
|
# header_val = header_val.replace('Basic ', '', 1)
|
|
|
|
|
#basic_username = basic_password = '' # nosec
|
|
|
|
|
#try:
|
|
|
|
|
# header_val = base64.b64decode(header_val).decode('utf-8')
|
|
|
|
|
# # Users with colon are invalid: rfc7617 page 4
|
|
|
|
|
# basic_username = header_val.split(':', 1)[0]
|
|
|
|
|
# basic_password = header_val.split(':', 1)[1]
|
|
|
|
|
#except (TypeError, UnicodeDecodeError, binascii.Error):
|
|
|
|
|
# pass
|
|
|
|
|
user = _fetch_user_by_name(basic_username)
|
|
|
|
|
if user and config.config_login_type == constants.LOGIN_LDAP and services.ldap:
|
|
|
|
|
if services.ldap.bind_user(str(user.password), basic_password):
|
|
|
|
|
login_user(user)
|
|
|
|
|
return user
|
|
|
|
|
if user and check_password_hash(str(user.password), basic_password):
|
|
|
|
|
login_user(user)
|
|
|
|
|
return user
|
|
|
|
|
return
|
|
|
|
|
return None
|
|
|
|
|