diff --git a/cps/admin.py b/cps/admin.py index 3bb747db..a901791f 100644 --- a/cps/admin.py +++ b/cps/admin.py @@ -350,6 +350,10 @@ def _configuration_update_helper(): _config_int("config_updatechannel") + # Reverse proxy login configuration + _config_checkbox("config_allow_reverse_proxy_header_login") + _config_string("config_reverse_proxy_login_header_name") + # GitHub OAuth configuration if config.config_login_type == constants.LOGIN_OAUTH: active_oauths = 0 diff --git a/cps/config_sql.py b/cps/config_sql.py index 1ae8f235..e940c450 100644 --- a/cps/config_sql.py +++ b/cps/config_sql.py @@ -106,6 +106,9 @@ class _Settings(_Base): config_updatechannel = Column(Integer, default=constants.UPDATE_STABLE) + config_reverse_proxy_login_header_name = Column(String) + config_allow_reverse_proxy_header_login = Column(Boolean, default=False) + def __repr__(self): return self.__class__.__name__ @@ -250,8 +253,7 @@ class _ConfigSQL(object): for k, v in self.__dict__.items(): if k[0] == '_': continue - if hasattr(s, k): # and getattr(s, k, None) != v: - # log.debug("_Settings save '%s' = %r", k, v) + if hasattr(s, k): setattr(s, k, v) log.debug("_ConfigSQL updating storage") @@ -279,7 +281,13 @@ def _migrate_table(session, orm_class): if sys.version_info < (3, 0): if isinstance(column.default.arg,unicode): column.default.arg = column.default.arg.encode('utf-8') - column_default = "" if column.default is None else ("DEFAULT %r" % column.default.arg) + if column.default is None: + column_default = "" + else: + if isinstance(column.default.arg, bool): + column_default = ("DEFAULT %r" % int(column.default.arg)) + else: + column_default = ("DEFAULT %r" % column.default.arg) alter_table = "ALTER TABLE %s ADD COLUMN `%s` %s %s" % (orm_class.__tablename__, column_name, column.type, diff --git a/cps/templates/admin.html b/cps/templates/admin.html index 17b84f34..a7770c59 100644 --- a/cps/templates/admin.html +++ b/cps/templates/admin.html @@ -1,4 +1,7 @@ {% extends "layout.html" %} +{% macro display_bool_setting(setting_value) -%} + {% if setting_value %}{% else %}{% endif %} +{%- endmacro %} {% block body %}
@@ -23,11 +26,11 @@ {{user.email}} {{user.kindle_mail}} {{user.downloads.count()}} - {% if user.role_admin() %}{% else %}{% endif %} - {% if user.role_download() %}{% else %}{% endif %} - {% if user.role_viewer() %}{% else %}{% endif %} - {% if user.role_upload() %}{% else %}{% endif %} - {% if user.role_edit() %}{% else %}{% endif %} + {{ display_bool_setting(user.role_admin()) }} + {{ display_bool_setting(user.role_download()) }} + {{ display_bool_setting(user.role_viewer()) }} + {{ display_bool_setting(user.role_upload()) }} + {{ display_bool_setting(user.role_edit()) }} {% endif %} {% endfor %} @@ -83,20 +86,30 @@
{{_('Uploading')}}
-
{% if config.config_uploading %}{% else %}{% endif %}
+
{{ display_bool_setting(config.config_uploading) }}
{{_('Anonymous browsing')}}
-
{% if config.config_anonbrowse %}{% else %}{% endif %}
+
{{ display_bool_setting(config.config_anonbrowse) }}
{{_('Public registration')}}
-
{% if config.config_public_reg %}{% else %}{% endif %}
+
{{ display_bool_setting(config.config_public_reg) }}
{{_('Remote login')}}
-
{% if config.config_remote_login %}{% else %}{% endif %}
+
{{ display_bool_setting(config.config_remote_login) }}
+
+
{{_('Reverse proxy login')}}
+
{{ display_bool_setting(config.config_allow_reverse_proxy_header_login) }}
+
+ {% if config.config_allow_reverse_proxy_header_login %} +
+
{{_('Reverse proxy header name')}}
+
{{ config.config_reverse_proxy_login_header_name }}
+
+ {% endif %}
{{_('Basic Configuration')}}
{{_('UI Configuration')}}
diff --git a/cps/templates/config_edit.html b/cps/templates/config_edit.html index 85b9598e..0d28b8ea 100644 --- a/cps/templates/config_edit.html +++ b/cps/templates/config_edit.html @@ -200,7 +200,7 @@ {% if feature_support['ldap'] %} -
+
@@ -271,6 +271,16 @@
{% endif %} {% endif %} +
+ + +
+
+
+ + +
+
diff --git a/cps/web.py b/cps/web.py index 9ef90812..07373d1f 100644 --- a/cps/web.py +++ b/cps/web.py @@ -114,14 +114,35 @@ web = Blueprint('web', __name__) log = logger.create() # ################################### Login logic and rights management ############################################### +def _fetch_user_by_name(username): + return ub.session.query(ub.User).filter(func.lower(ub.User.nickname) == username.lower()).first() @lm.user_loader def load_user(user_id): return ub.session.query(ub.User).filter(ub.User.id == int(user_id)).first() -@lm.header_loader -def load_user_from_header(header_val): +@lm.request_loader +def load_user_from_request(request): + auth_header = request.headers.get("Authorization") + if auth_header: + user = load_user_from_auth_header(auth_header) + if user: + return user + + if config.config_allow_reverse_proxy_header_login: + rp_header_name = config.config_reverse_proxy_login_header_name + if rp_header_name: + rp_header_username = request.headers.get(rp_header_name) + if rp_header_username: + user = _fetch_user_by_name(rp_header_username) + if user: + return user + + return + + +def load_user_from_auth_header(header_val): if header_val.startswith('Basic '): header_val = header_val.replace('Basic ', '', 1) basic_username = basic_password = '' @@ -131,7 +152,7 @@ def load_user_from_header(header_val): basic_password = header_val.split(':')[1] except TypeError: pass - user = ub.session.query(ub.User).filter(func.lower(ub.User.nickname) == basic_username.lower()).first() + user = _fetch_user_by_name(basic_username) if user and check_password_hash(str(user.password), basic_password): return user return