Merge branch 'pre-auth' into basic_auth

Conflicts:
	mediagoblin/auth/tools.py
	mediagoblin/auth/views.py
	mediagoblin/db/migrations.py
	mediagoblin/plugins/basic_auth/lib.py
	mediagoblin/plugins/httpapiauth/__init__.py
	mediagoblin/plugins/piwigo/views.py

6 files changed, 90 insertions, 73 deletions

diff --git a/mediagoblin/auth/tools.py b/mediagoblin/auth/tools.py
index 3e3c36f0..f38a292a 100644
--- a/mediagoblin/auth/tools.py
+++ b/mediagoblin/auth/tools.py
@@ -15,15 +15,21 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import logging
+
 import wtforms
+from sqlalchemy import or_
 
-from mediagoblin import messages, mg_globals
-from mediagoblin.tools.mail import normalize_email, send_email
+from mediagoblin import mg_globals
+from mediagoblin.auth import lib as auth_lib
+from mediagoblin.db.models import User
+from mediagoblin.tools.mail import (normalize_email, send_email,
+                                    email_debug_message)
 from mediagoblin.tools.translate import lazy_pass_to_ugettext as _
 from mediagoblin.tools.template import render_template
 from mediagoblin.tools.pluginapi import hook_handle
 from mediagoblin import auth
-from mediagoblin.db.models import User
+
+_log = logging.getLogger(__name__)
 
 _log = logging.getLogger(__name__)
 
@@ -87,6 +93,41 @@ def no_auth_logout(request):
         request.session.delete()
 
 
+EMAIL_VERIFICATION_TEMPLATE = (
+    u"http://{host}{uri}?"
+    u"userid={userid}&token={verification_key}")
+
+
+def send_verification_email(user, request):
+    """
+    Send the verification email to users to activate their accounts.
+
+    Args:
+    - user: a user object
+    - request: the request
+    """
+    rendered_email = render_template(
+        request, 'mediagoblin/auth/verification_email.txt',
+        {'username': user.username,
+         'verification_url': EMAIL_VERIFICATION_TEMPLATE.format(
+                host=request.host,
+                uri=request.urlgen('mediagoblin.auth.verify_email'),
+                userid=unicode(user.id),
+                verification_key=user.verification_key)})
+
+    # TODO: There is no error handling in place
+    send_email(
+        mg_globals.app_config['email_sender_address'],
+        [user.email],
+        # TODO
+        # Due to the distributed nature of GNU MediaGoblin, we should
+        # find a way to send some additional information about the
+        # specific GNU MediaGoblin instance in the subject line. For
+        # example "GNU MediaGoblin @ Wandborg - [...]".
+        'GNU MediaGoblin - Verify your email!',
+        rendered_email)
+
+
 def basic_extra_validation(register_form, *args):
     users_with_username = User.query.filter_by(
         username=register_form.username.data).count()
@@ -127,54 +168,6 @@ def register_user(request, register_form):
     return None
 
 
-def email_debug_message(request):
-    """
-    If the server is running in email debug mode (which is
-    the current default), give a debug message to the user
-    so that they have an idea where to find their email.
-    """
-    if mg_globals.app_config['email_debug_mode']:
-        # DEBUG message, no need to translate
-        messages.add_message(request, messages.DEBUG,
-            u"This instance is running in email debug mode. "
-            u"The email will be on the console of the server process.")
-
-
-EMAIL_VERIFICATION_TEMPLATE = (
-    u"http://{host}{uri}?"
-    u"userid={userid}&token={verification_key}")
-
-
-def send_verification_email(user, request):
-    """
-    Send the verification email to users to activate their accounts.
-
-    Args:
-    - user: a user object
-    - request: the request
-    """
-    rendered_email = render_template(
-        request, 'mediagoblin/auth/verification_email.txt',
-        {'username': user.username,
-         'verification_url': EMAIL_VERIFICATION_TEMPLATE.format(
-                host=request.host,
-                uri=request.urlgen('mediagoblin.auth.verify_email'),
-                userid=unicode(user.id),
-                verification_key=user.verification_key)})
-
-    # TODO: There is no error handling in place
-    send_email(
-        mg_globals.app_config['email_sender_address'],
-        [user.email],
-        # TODO
-        # Due to the distributed nature of GNU MediaGoblin, we should
-        # find a way to send some additional information about the
-        # specific GNU MediaGoblin instance in the subject line. For
-        # example "GNU MediaGoblin @ Wandborg - [...]".
-        'GNU MediaGoblin - Verify your email!',
-        rendered_email)
-
-
 EMAIL_FP_VERIFICATION_TEMPLATE = (
     u"http://{host}{uri}?"
     u"userid={userid}&token={fp_verification_key}")
@@ -203,3 +196,19 @@ def send_fp_verification_email(user, request):
         [user.email],
         'GNU MediaGoblin - Change forgotten password!',
         rendered_email)
+
+
+def check_login_simple(username, password, username_might_be_email=False):
+    search = (User.username == username)
+    if username_might_be_email and ('@' in username):
+        search = or_(search, User.email == username)
+    user = User.query.filter(search).first()
+    if not user:
+        _log.info("User %r not found", username)
+        auth_lib.fake_login_attempt()
+        return None
+    if not auth_lib.bcrypt_check_password(password, user.pw_hash):
+        _log.warn("Wrong password for %r", username)
+        return None
+    _log.info("Logging %r in", username)
+    return user
diff --git a/mediagoblin/auth/views.py b/mediagoblin/auth/views.py
index a21a92e9..109763ce 100644
--- a/mediagoblin/auth/views.py
+++ b/mediagoblin/auth/views.py
@@ -21,11 +21,13 @@ from mediagoblin import messages, mg_globals
 from mediagoblin.db.models import User
 from mediagoblin.tools.response import render_to_response, redirect, render_404
 from mediagoblin.tools.translate import pass_to_ugettext as _
+from mediagoblin.tools.mail import email_debug_message
 from mediagoblin.auth import lib as auth_lib
 from mediagoblin.auth import forms as auth_forms
 from mediagoblin.auth.tools import (send_verification_email,
-                                    register_user, email_debug_message,
-                                    send_fp_verification_email)
+                                    register_user,
+                                    send_fp_verification_email,
+                                    check_login_simple)
 from mediagoblin import auth
 
 
@@ -92,10 +94,12 @@ def login(request):
     login_failed = False
 
     if request.method == 'POST':
+        username = login_form.username.data
+
         if login_form.validate():
-            user = auth.get_user(login_form)
+            user = check_login_simple(username, login_form.password.data, True)
 
-            if user and auth.check_login(user, login_form.password.data):
+            if user:
                 # set up login in session
                 request.session['user_id'] = unicode(user.id)
                 request.session.save()
@@ -105,10 +109,6 @@ def login(request):
                 else:
                     return redirect(request, "index")
 
-            # Some failure during login occured if we are here!
-            # Prevent detecting who's on this system by testing login
-            # attempt timings
-            auth.fake_login_attempt()
             login_failed = True
 
     return render_to_response(
diff --git a/mediagoblin/db/migrations.py b/mediagoblin/db/migrations.py
index 1617db48..1f92417e 100644
--- a/mediagoblin/db/migrations.py
+++ b/mediagoblin/db/migrations.py
@@ -296,3 +296,5 @@ def pw_hash_nullable(db):
     user_table = inspect_table(metadata, "core__users")
 
     user_table.c.pw_hash.alter(nullable=True)
+
+    db.commit()
diff --git a/mediagoblin/plugins/httpapiauth/__init__.py b/mediagoblin/plugins/httpapiauth/__init__.py
index 09c99080..2b2d593c 100644
--- a/mediagoblin/plugins/httpapiauth/__init__.py
+++ b/mediagoblin/plugins/httpapiauth/__init__.py
@@ -18,8 +18,8 @@ import logging
 
 from werkzeug.exceptions import Unauthorized
 
+from mediagoblin.auth.tools import check_login_simple
 from mediagoblin.plugins.api.tools import Auth
-from mediagoblin.auth import check_login
 
 _log = logging.getLogger(__name__)
 
@@ -40,10 +40,10 @@ class HTTPAuth(Auth):
         if not request.authorization:
             return False
 
-        user = request.db.User.query.filter_by(
-                username=unicode(request.authorization['username'])).first()
+        user = check_login_simple(unicode(request.authorization['username']),
+                                  request.authorization['password'])
 
-        if check_login(user, request.authorization['password']):
+        if user:
             request.user = user
             return True
         else:
diff --git a/mediagoblin/plugins/piwigo/views.py b/mediagoblin/plugins/piwigo/views.py
index 705cdd49..ca723189 100644
--- a/mediagoblin/plugins/piwigo/views.py
+++ b/mediagoblin/plugins/piwigo/views.py
@@ -23,6 +23,7 @@ from werkzeug.exceptions import MethodNotAllowed, BadRequest, NotImplemented
 from werkzeug.wrappers import BaseResponse
 
 from mediagoblin.meddleware.csrf import csrf_exempt
+from mediagoblin.auth.tools import check_login_simple
 from mediagoblin.media_types import sniff_media
 from mediagoblin.submit.lib import check_file_field, prepare_queue_task, \
     run_process_media, new_upload_entry
@@ -32,8 +33,6 @@ from mediagoblin.db.models import Collection
 
 from .tools import CmdTable, response_xml, check_form, \
     PWGSession, PwgNamedArray, PwgError
-from mediagoblin.plugins.basic_auth.lib import fake_login_attempt
-from mediagoblin.auth import check_login
 from .forms import AddSimpleForm, AddForm
 
 
@@ -44,15 +43,9 @@ _log = logging.getLogger(__name__)
 def pwg_login(request):
     username = request.form.get("username")
     password = request.form.get("password")
-    user = request.db.User.query.filter_by(username=username).first()
+    user = check_login_simple(username, password)
     if not user:
-        _log.info("User %r not found", username)
-        fake_login_attempt()
         return PwgError(999, 'Invalid username/password')
-    if not check_login(user, password):
-        _log.warn("Wrong password for %r", username)
-        return PwgError(999, 'Invalid username/password')
-    _log.info("Logging %r in", username)
     request.session["user_id"] = user.id
     request.session.save()
     return True
diff --git a/mediagoblin/tools/mail.py b/mediagoblin/tools/mail.py
index 4fa02ce5..6886c859 100644
--- a/mediagoblin/tools/mail.py
+++ b/mediagoblin/tools/mail.py
@@ -16,7 +16,7 @@
 
 import smtplib
 from email.MIMEText import MIMEText
-from mediagoblin import mg_globals
+from mediagoblin import mg_globals, messages
 from mediagoblin.tools import common
 
 ### ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -135,3 +135,16 @@ def normalize_email(email):
         return None
     email = "@".join((em_user, em_dom.lower()))
     return email
+
+
+def email_debug_message(request):
+    """
+    If the server is running in email debug mode (which is
+    the current default), give a debug message to the user
+    so that they have an idea where to find their email.
+    """
+    if mg_globals.app_config['email_debug_mode']:
+        # DEBUG message, no need to translate
+        messages.add_message(request, messages.DEBUG,
+            u"This instance is running in email debug mode. "
+            u"The email will be on the console of the server process.")