Mercurial > kallithea
annotate rhodecode/lib/auth.py @ 3625:260a7a01b054 beta
follow Python conventions for boolean values
True and False might be singletons and the "default" values for "boolean"
expressions, but "all" values in Python has a boolean value and should be
evaluated as such. Checking with 'is True' and 'is False' is thus confusing,
error prone and unnessarily complex.
If we anywhere rely and nullable boolean fields from the database layer and
don't want the null value to be treated as False then we should check
explicitly for null with 'is None'.
author | Mads Kiilerich <madski@unity3d.com> |
---|---|
date | Thu, 28 Mar 2013 01:10:45 +0100 |
parents | b8f929bff7e3 |
children | 1ec67ddcaffe |
rev | line source |
---|---|
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
1 # -*- coding: utf-8 -*- |
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
2 """ |
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
3 rhodecode.lib.auth |
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
4 ~~~~~~~~~~~~~~~~~~ |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
5 |
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
6 authentication and permission libraries |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
7 |
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
8 :created_on: Apr 4, 2010 |
1824
89efedac4e6c
2012 copyrights
Marcin Kuzminski <marcin@python-works.com>
parents:
1818
diff
changeset
|
9 :author: marcink |
89efedac4e6c
2012 copyrights
Marcin Kuzminski <marcin@python-works.com>
parents:
1818
diff
changeset
|
10 :copyright: (C) 2010-2012 Marcin Kuzminski <marcin@python-works.com> |
1532
2afe9320d5e6
updated docstrings
Marcin Kuzminski <marcin@python-works.com>
parents:
1530
diff
changeset
|
11 :license: GPLv3, see COPYING for more details. |
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
12 """ |
1206
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
13 # This program is free software: you can redistribute it and/or modify |
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
14 # it under the terms of the GNU General Public License as published by |
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
15 # the Free Software Foundation, either version 3 of the License, or |
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
16 # (at your option) any later version. |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
17 # |
252
3782a6d698af
licensing updates, code cleanups
Marcin Kuzminski <marcin@python-works.com>
parents:
239
diff
changeset
|
18 # This program is distributed in the hope that it will be useful, |
3782a6d698af
licensing updates, code cleanups
Marcin Kuzminski <marcin@python-works.com>
parents:
239
diff
changeset
|
19 # but WITHOUT ANY WARRANTY; without even the implied warranty of |
3782a6d698af
licensing updates, code cleanups
Marcin Kuzminski <marcin@python-works.com>
parents:
239
diff
changeset
|
20 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
3782a6d698af
licensing updates, code cleanups
Marcin Kuzminski <marcin@python-works.com>
parents:
239
diff
changeset
|
21 # GNU General Public License for more details. |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
22 # |
252
3782a6d698af
licensing updates, code cleanups
Marcin Kuzminski <marcin@python-works.com>
parents:
239
diff
changeset
|
23 # You should have received a copy of the GNU General Public License |
1206
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
24 # along with this program. If not, see <http://www.gnu.org/licenses/>. |
381
55377fdc1fc6
cleared global application settings.
Marcin Kuzminski <marcin@python-works.com>
parents:
380
diff
changeset
|
25 |
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
26 import random |
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
27 import logging |
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
28 import traceback |
1116
716911af91e1
Added api_key into user, api key get's generated again after password change
Marcin Kuzminski <marcin@python-works.com>
parents:
1056
diff
changeset
|
29 import hashlib |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
30 |
1116
716911af91e1
Added api_key into user, api key get's generated again after password change
Marcin Kuzminski <marcin@python-works.com>
parents:
1056
diff
changeset
|
31 from tempfile import _RandomNameSequence |
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
32 from decorator import decorator |
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
33 |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
34 from pylons import config, url, request |
52 | 35 from pylons.controllers.util import abort, redirect |
1056
520d27f40b51
#113 removed anonymous access from forking, added system messages in login box.
Marcin Kuzminski <marcin@python-works.com>
parents:
1040
diff
changeset
|
36 from pylons.i18n.translation import _ |
3212
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
37 from sqlalchemy.orm.exc import ObjectDeletedError |
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
38 |
2634
4b17216f2110
Deprecated validation of operating system, we just care if it's windows, let approve all other
Marcin Kuzminski <marcin@python-works.com>
parents:
2479
diff
changeset
|
39 from rhodecode import __platform__, is_windows, is_unix |
1749
8ecc6b8229a5
commit less models
Marcin Kuzminski <marcin@python-works.com>
parents:
1728
diff
changeset
|
40 from rhodecode.model.meta import Session |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
41 |
2109 | 42 from rhodecode.lib.utils2 import str2bool, safe_unicode |
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
43 from rhodecode.lib.exceptions import LdapPasswordError, LdapUsernameError |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
44 from rhodecode.lib.utils import get_repo_slug, get_repos_group_slug |
713
1bb0fcdec895
fixed #72 show warning on removal when user still is owner of existing repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
705
diff
changeset
|
45 from rhodecode.lib.auth_ldap import AuthLdap |
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
46 |
547
1e757ac98988
renamed project to rhodecode
Marcin Kuzminski <marcin@python-works.com>
parents:
508
diff
changeset
|
47 from rhodecode.model import meta |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
48 from rhodecode.model.user import UserModel |
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
49 from rhodecode.model.db import Permission, RhodeCodeSetting, User, UserIpMap |
3146
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
50 from rhodecode.lib.caching_query import FromCache |
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
51 |
1246 | 52 log = logging.getLogger(__name__) |
343
6484963056cd
implemented cache for repeated queries in simplehg mercurial requests
Marcin Kuzminski <marcin@python-works.com>
parents:
339
diff
changeset
|
53 |
41
71ffa932799d
Added app basic auth.
Marcin Kuzminski <marcin@python-blog.com>
parents:
diff
changeset
|
54 |
474
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
55 class PasswordGenerator(object): |
1716
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
56 """ |
1818
cf51bbfb120e
auto white-space removal
Marcin Kuzminski <marcin@python-works.com>
parents:
1808
diff
changeset
|
57 This is a simple class for generating password from different sets of |
1716
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
58 characters |
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
59 usage:: |
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
60 |
474
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
61 passwd_gen = PasswordGenerator() |
1246 | 62 #print 8-letter password containing only big and small letters |
63 of alphabet | |
2278
24095abde696
print statement cleanup
Marcin Kuzminski <marcin@python-works.com>
parents:
2125
diff
changeset
|
64 passwd_gen.gen_password(8, passwd_gen.ALPHABETS_BIG_SMALL) |
474
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
65 """ |
1246 | 66 ALPHABETS_NUM = r'''1234567890''' |
67 ALPHABETS_SMALL = r'''qwertyuiopasdfghjklzxcvbnm''' | |
68 ALPHABETS_BIG = r'''QWERTYUIOPASDFGHJKLZXCVBNM''' | |
69 ALPHABETS_SPECIAL = r'''`-=[]\;',./~!@#$%^&*()_+{}|:"<>?''' | |
70 ALPHABETS_FULL = ALPHABETS_BIG + ALPHABETS_SMALL \ | |
71 + ALPHABETS_NUM + ALPHABETS_SPECIAL | |
72 ALPHABETS_ALPHANUM = ALPHABETS_BIG + ALPHABETS_SMALL + ALPHABETS_NUM | |
474
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
73 ALPHABETS_BIG_SMALL = ALPHABETS_BIG + ALPHABETS_SMALL |
1246 | 74 ALPHABETS_ALPHANUM_BIG = ALPHABETS_BIG + ALPHABETS_NUM |
75 ALPHABETS_ALPHANUM_SMALL = ALPHABETS_SMALL + ALPHABETS_NUM | |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
76 |
474
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
77 def __init__(self, passwd=''): |
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
78 self.passwd = passwd |
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
79 |
1993
4d3179d2adfe
added optional password type in password generator
Marcin Kuzminski <marcin@python-works.com>
parents:
1992
diff
changeset
|
80 def gen_password(self, length, type_=None): |
4d3179d2adfe
added optional password type in password generator
Marcin Kuzminski <marcin@python-works.com>
parents:
1992
diff
changeset
|
81 if type_ is None: |
4d3179d2adfe
added optional password type in password generator
Marcin Kuzminski <marcin@python-works.com>
parents:
1992
diff
changeset
|
82 type_ = self.ALPHABETS_FULL |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
83 self.passwd = ''.join([random.choice(type_) for _ in xrange(length)]) |
474
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
84 return self.passwd |
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
85 |
1246 | 86 |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
87 class RhodeCodeCrypto(object): |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
88 |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
89 @classmethod |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
90 def hash_string(cls, str_): |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
91 """ |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
92 Cryptographic function used for password hashing based on pybcrypt |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
93 or pycrypto in windows |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
94 |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
95 :param password: password to hash |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
96 """ |
2634
4b17216f2110
Deprecated validation of operating system, we just care if it's windows, let approve all other
Marcin Kuzminski <marcin@python-works.com>
parents:
2479
diff
changeset
|
97 if is_windows: |
2479
9225597688f4
Added validation into user email map
Marcin Kuzminski <marcin@python-works.com>
parents:
2458
diff
changeset
|
98 from hashlib import sha256 |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
99 return sha256(str_).hexdigest() |
2634
4b17216f2110
Deprecated validation of operating system, we just care if it's windows, let approve all other
Marcin Kuzminski <marcin@python-works.com>
parents:
2479
diff
changeset
|
100 elif is_unix: |
2479
9225597688f4
Added validation into user email map
Marcin Kuzminski <marcin@python-works.com>
parents:
2458
diff
changeset
|
101 import bcrypt |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
102 return bcrypt.hashpw(str_, bcrypt.gensalt(10)) |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
103 else: |
1246 | 104 raise Exception('Unknown or unsupported platform %s' \ |
105 % __platform__) | |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
106 |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
107 @classmethod |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
108 def hash_check(cls, password, hashed): |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
109 """ |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
110 Checks matching password with it's hashed value, runs different |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
111 implementation based on platform it runs on |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
112 |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
113 :param password: password |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
114 :param hashed: password in hashed form |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
115 """ |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
116 |
2634
4b17216f2110
Deprecated validation of operating system, we just care if it's windows, let approve all other
Marcin Kuzminski <marcin@python-works.com>
parents:
2479
diff
changeset
|
117 if is_windows: |
2479
9225597688f4
Added validation into user email map
Marcin Kuzminski <marcin@python-works.com>
parents:
2458
diff
changeset
|
118 from hashlib import sha256 |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
119 return sha256(password).hexdigest() == hashed |
2634
4b17216f2110
Deprecated validation of operating system, we just care if it's windows, let approve all other
Marcin Kuzminski <marcin@python-works.com>
parents:
2479
diff
changeset
|
120 elif is_unix: |
2479
9225597688f4
Added validation into user email map
Marcin Kuzminski <marcin@python-works.com>
parents:
2458
diff
changeset
|
121 import bcrypt |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
122 return bcrypt.hashpw(password, hashed) == hashed |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
123 else: |
1246 | 124 raise Exception('Unknown or unsupported platform %s' \ |
125 % __platform__) | |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
126 |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
127 |
64
08707974eae4
Changed auth lib for sqlalchemy
Marcin Kuzminski <marcin@python-blog.com>
parents:
52
diff
changeset
|
128 def get_crypt_password(password): |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
129 return RhodeCodeCrypto.hash_string(password) |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
130 |
1246 | 131 |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
132 def check_password(password, hashed): |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
133 return RhodeCodeCrypto.hash_check(password, hashed) |
415
04e8b31fb245
Changed password crypting scheme to bcrypt, added dependency for setup
Marcin Kuzminski <marcin@python-works.com>
parents:
412
diff
changeset
|
134 |
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
135 |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
136 def generate_api_key(str_, salt=None): |
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
137 """ |
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
138 Generates API KEY from given string |
1818
cf51bbfb120e
auto white-space removal
Marcin Kuzminski <marcin@python-works.com>
parents:
1808
diff
changeset
|
139 |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
140 :param str_: |
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
141 :param salt: |
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
142 """ |
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
143 |
1116
716911af91e1
Added api_key into user, api key get's generated again after password change
Marcin Kuzminski <marcin@python-works.com>
parents:
1056
diff
changeset
|
144 if salt is None: |
716911af91e1
Added api_key into user, api key get's generated again after password change
Marcin Kuzminski <marcin@python-works.com>
parents:
1056
diff
changeset
|
145 salt = _RandomNameSequence().next() |
716911af91e1
Added api_key into user, api key get's generated again after password change
Marcin Kuzminski <marcin@python-works.com>
parents:
1056
diff
changeset
|
146 |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
147 return hashlib.sha1(str_ + salt).hexdigest() |
1116
716911af91e1
Added api_key into user, api key get's generated again after password change
Marcin Kuzminski <marcin@python-works.com>
parents:
1056
diff
changeset
|
148 |
1246 | 149 |
41
71ffa932799d
Added app basic auth.
Marcin Kuzminski <marcin@python-blog.com>
parents:
diff
changeset
|
150 def authfunc(environ, username, password): |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
151 """ |
1818
cf51bbfb120e
auto white-space removal
Marcin Kuzminski <marcin@python-works.com>
parents:
1808
diff
changeset
|
152 Dummy authentication wrapper function used in Mercurial and Git for |
1644 | 153 access control. |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
154 |
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
155 :param environ: needed only for using in Basic auth |
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
156 """ |
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
157 return authenticate(username, password) |
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
158 |
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
159 |
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
160 def authenticate(username, password): |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
161 """ |
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
162 Authentication function used for access control, |
699
52da7cba88a6
Code refactor for auth func, preparing for ldap support
Marcin Kuzminski <marcin@python-works.com>
parents:
692
diff
changeset
|
163 firstly checks for db authentication then if ldap is enabled for ldap |
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
164 authentication, also creates ldap user if not in database |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
165 |
699
52da7cba88a6
Code refactor for auth func, preparing for ldap support
Marcin Kuzminski <marcin@python-works.com>
parents:
692
diff
changeset
|
166 :param username: username |
52da7cba88a6
Code refactor for auth func, preparing for ldap support
Marcin Kuzminski <marcin@python-works.com>
parents:
692
diff
changeset
|
167 :param password: password |
52da7cba88a6
Code refactor for auth func, preparing for ldap support
Marcin Kuzminski <marcin@python-works.com>
parents:
692
diff
changeset
|
168 """ |
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
169 |
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
170 user_model = UserModel() |
1530
04027bdb876c
Refactoring of model get functions
Marcin Kuzminski <marcin@python-works.com>
parents:
1425
diff
changeset
|
171 user = User.get_by_username(username) |
699
52da7cba88a6
Code refactor for auth func, preparing for ldap support
Marcin Kuzminski <marcin@python-works.com>
parents:
692
diff
changeset
|
172 |
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
173 log.debug('Authenticating user using RhodeCode account') |
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
895
diff
changeset
|
174 if user is not None and not user.ldap_dn: |
64
08707974eae4
Changed auth lib for sqlalchemy
Marcin Kuzminski <marcin@python-blog.com>
parents:
52
diff
changeset
|
175 if user.active: |
674
99875a8f2ad1
#49 Enabled anonymous access push and pull commands
Marcin Kuzminski <marcin@python-works.com>
parents:
673
diff
changeset
|
176 if user.username == 'default' and user.active: |
2025
7e979933ffec
more work on improving info logging
Marcin Kuzminski <marcin@python-works.com>
parents:
2000
diff
changeset
|
177 log.info('user %s authenticated correctly as anonymous user' % |
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
178 username) |
674
99875a8f2ad1
#49 Enabled anonymous access push and pull commands
Marcin Kuzminski <marcin@python-works.com>
parents:
673
diff
changeset
|
179 return True |
99875a8f2ad1
#49 Enabled anonymous access push and pull commands
Marcin Kuzminski <marcin@python-works.com>
parents:
673
diff
changeset
|
180 |
1246 | 181 elif user.username == username and check_password(password, |
182 user.password): | |
1976 | 183 log.info('user %s authenticated correctly' % username) |
41
71ffa932799d
Added app basic auth.
Marcin Kuzminski <marcin@python-blog.com>
parents:
diff
changeset
|
184 return True |
71ffa932799d
Added app basic auth.
Marcin Kuzminski <marcin@python-blog.com>
parents:
diff
changeset
|
185 else: |
2025
7e979933ffec
more work on improving info logging
Marcin Kuzminski <marcin@python-works.com>
parents:
2000
diff
changeset
|
186 log.warning('user %s tried auth but is disabled' % username) |
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
187 |
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
188 else: |
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
189 log.debug('Regular authentication failed') |
1530
04027bdb876c
Refactoring of model get functions
Marcin Kuzminski <marcin@python-works.com>
parents:
1425
diff
changeset
|
190 user_obj = User.get_by_username(username, case_insensitive=True) |
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
191 |
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
895
diff
changeset
|
192 if user_obj is not None and not user_obj.ldap_dn: |
749
fcd4fb51526e
added debug message for ldap auth
Marcin Kuzminski <marcin@python-works.com>
parents:
748
diff
changeset
|
193 log.debug('this user already exists as non ldap') |
748
88338675a0f7
fixed ldap issue and small template fix
Marcin Kuzminski <marcin@python-works.com>
parents:
742
diff
changeset
|
194 return False |
88338675a0f7
fixed ldap issue and small template fix
Marcin Kuzminski <marcin@python-works.com>
parents:
742
diff
changeset
|
195 |
1633
2c0d35e336b5
refactoring of models names for repoGroup permissions
Marcin Kuzminski <marcin@python-works.com>
parents:
1630
diff
changeset
|
196 ldap_settings = RhodeCodeSetting.get_ldap_settings() |
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
197 #====================================================================== |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
198 # FALLBACK TO LDAP AUTH IF ENABLE |
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
199 #====================================================================== |
1135
1aa1655bf019
fixed some config bool converter problems with ldap
Marcin Kuzminski <marcin@python-works.com>
parents:
1122
diff
changeset
|
200 if str2bool(ldap_settings.get('ldap_active')): |
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
201 log.debug("Authenticating user using ldap") |
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
202 kwargs = { |
1246 | 203 'server': ldap_settings.get('ldap_host', ''), |
204 'base_dn': ldap_settings.get('ldap_base_dn', ''), | |
205 'port': ldap_settings.get('ldap_port'), | |
206 'bind_dn': ldap_settings.get('ldap_dn_user'), | |
207 'bind_pass': ldap_settings.get('ldap_dn_pass'), | |
1290
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1288
diff
changeset
|
208 'tls_kind': ldap_settings.get('ldap_tls_kind'), |
1246 | 209 'tls_reqcert': ldap_settings.get('ldap_tls_reqcert'), |
210 'ldap_filter': ldap_settings.get('ldap_filter'), | |
211 'search_scope': ldap_settings.get('ldap_search_scope'), | |
212 'attr_login': ldap_settings.get('ldap_attr_login'), | |
213 'ldap_version': 3, | |
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
214 } |
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
215 log.debug('Checking for ldap authentication') |
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
216 try: |
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
217 aldap = AuthLdap(**kwargs) |
1246 | 218 (user_dn, ldap_attrs) = aldap.authenticate_ldap(username, |
219 password) | |
1976 | 220 log.debug('Got ldap DN response %s' % user_dn) |
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
221 |
1307 | 222 get_ldap_attr = lambda k: ldap_attrs.get(ldap_settings\ |
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
223 .get(k), [''])[0] |
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
224 |
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
895
diff
changeset
|
225 user_attrs = { |
1425
3dedf3991d40
fixes #173, many thanks for slestak for contributing into this one.
Marcin Kuzminski <marcin@python-works.com>
parents:
1336
diff
changeset
|
226 'name': safe_unicode(get_ldap_attr('ldap_attr_firstname')), |
3dedf3991d40
fixes #173, many thanks for slestak for contributing into this one.
Marcin Kuzminski <marcin@python-works.com>
parents:
1336
diff
changeset
|
227 'lastname': safe_unicode(get_ldap_attr('ldap_attr_lastname')), |
3dedf3991d40
fixes #173, many thanks for slestak for contributing into this one.
Marcin Kuzminski <marcin@python-works.com>
parents:
1336
diff
changeset
|
228 'email': get_ldap_attr('ldap_attr_email'), |
3370
fdb0f59b2189
fixes #762, LDAP and container created users are now activated based on
Marcin Kuzminski <marcin@python-works.com>
parents:
3313
diff
changeset
|
229 'active': 'hg.register.auto_activate' in User\ |
fdb0f59b2189
fixes #762, LDAP and container created users are now activated based on
Marcin Kuzminski <marcin@python-works.com>
parents:
3313
diff
changeset
|
230 .get_by_username('default').AuthUser.permissions['global'] |
1425
3dedf3991d40
fixes #173, many thanks for slestak for contributing into this one.
Marcin Kuzminski <marcin@python-works.com>
parents:
1336
diff
changeset
|
231 } |
2000
72c525a7e7ad
added migrations from 1.2.X to 1.3
Marcin Kuzminski <marcin@python-works.com>
parents:
1993
diff
changeset
|
232 |
72c525a7e7ad
added migrations from 1.2.X to 1.3
Marcin Kuzminski <marcin@python-works.com>
parents:
1993
diff
changeset
|
233 # don't store LDAP password since we don't need it. Override |
1992
335b55caa81d
#355 replaced stored LDAP password with some random generated one
Marcin Kuzminski <marcin@python-works.com>
parents:
1982
diff
changeset
|
234 # with some random generated password |
335b55caa81d
#355 replaced stored LDAP password with some random generated one
Marcin Kuzminski <marcin@python-works.com>
parents:
1982
diff
changeset
|
235 _password = PasswordGenerator().gen_password(length=8) |
335b55caa81d
#355 replaced stored LDAP password with some random generated one
Marcin Kuzminski <marcin@python-works.com>
parents:
1982
diff
changeset
|
236 # create this user on the fly if it doesn't exist in rhodecode |
335b55caa81d
#355 replaced stored LDAP password with some random generated one
Marcin Kuzminski <marcin@python-works.com>
parents:
1982
diff
changeset
|
237 # database |
335b55caa81d
#355 replaced stored LDAP password with some random generated one
Marcin Kuzminski <marcin@python-works.com>
parents:
1982
diff
changeset
|
238 if user_model.create_ldap(username, _password, user_dn, |
1246 | 239 user_attrs): |
1976 | 240 log.info('created new ldap user %s' % username) |
1818
cf51bbfb120e
auto white-space removal
Marcin Kuzminski <marcin@python-works.com>
parents:
1808
diff
changeset
|
241 |
2634
4b17216f2110
Deprecated validation of operating system, we just care if it's windows, let approve all other
Marcin Kuzminski <marcin@python-works.com>
parents:
2479
diff
changeset
|
242 Session().commit() |
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
243 return True |
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
244 except (LdapUsernameError, LdapPasswordError,): |
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
245 pass |
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
246 except (Exception,): |
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
247 log.error(traceback.format_exc()) |
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
248 pass |
41
71ffa932799d
Added app basic auth.
Marcin Kuzminski <marcin@python-blog.com>
parents:
diff
changeset
|
249 return False |
71ffa932799d
Added app basic auth.
Marcin Kuzminski <marcin@python-blog.com>
parents:
diff
changeset
|
250 |
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
251 |
1621
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
252 def login_container_auth(username): |
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
253 user = User.get_by_username(username) |
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
254 if user is None: |
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
255 user_attrs = { |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
256 'name': username, |
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
257 'lastname': None, |
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
258 'email': None, |
3370
fdb0f59b2189
fixes #762, LDAP and container created users are now activated based on
Marcin Kuzminski <marcin@python-works.com>
parents:
3313
diff
changeset
|
259 'active': 'hg.register.auto_activate' in User\ |
fdb0f59b2189
fixes #762, LDAP and container created users are now activated based on
Marcin Kuzminski <marcin@python-works.com>
parents:
3313
diff
changeset
|
260 .get_by_username('default').AuthUser.permissions['global'] |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
261 } |
1749
8ecc6b8229a5
commit less models
Marcin Kuzminski <marcin@python-works.com>
parents:
1728
diff
changeset
|
262 user = UserModel().create_for_container_auth(username, user_attrs) |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
263 if not user: |
1621
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
264 return None |
1976 | 265 log.info('User %s was created by container authentication' % username) |
1621
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
266 |
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
267 if not user.active: |
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
268 return None |
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
269 |
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
270 user.update_lastlogin() |
2634
4b17216f2110
Deprecated validation of operating system, we just care if it's windows, let approve all other
Marcin Kuzminski <marcin@python-works.com>
parents:
2479
diff
changeset
|
271 Session().commit() |
1818
cf51bbfb120e
auto white-space removal
Marcin Kuzminski <marcin@python-works.com>
parents:
1808
diff
changeset
|
272 |
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
273 log.debug('User %s is now logged in by container authentication', |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
274 user.username) |
1621
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
275 return user |
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
276 |
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
277 |
3173
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
278 def get_container_username(environ, config, clean_username=False): |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
279 """ |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
280 Get's the container_auth username (or email). It tries to get username |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
281 from REMOTE_USER if container_auth_enabled is enabled, if that fails |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
282 it tries to get username from HTTP_X_FORWARDED_USER if proxypass_auth_enabled |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
283 is enabled. clean_username extracts the username from this data if it's |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
284 having @ in it. |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
285 |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
286 :param environ: |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
287 :param config: |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
288 :param clean_username: |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
289 """ |
1630
25d8e4836bc2
Improved container-based auth support for middleware
Liad Shani <liadff@gmail.com>
parents:
1628
diff
changeset
|
290 username = None |
1621
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
291 |
1630
25d8e4836bc2
Improved container-based auth support for middleware
Liad Shani <liadff@gmail.com>
parents:
1628
diff
changeset
|
292 if str2bool(config.get('container_auth_enabled', False)): |
25d8e4836bc2
Improved container-based auth support for middleware
Liad Shani <liadff@gmail.com>
parents:
1628
diff
changeset
|
293 from paste.httpheaders import REMOTE_USER |
25d8e4836bc2
Improved container-based auth support for middleware
Liad Shani <liadff@gmail.com>
parents:
1628
diff
changeset
|
294 username = REMOTE_USER(environ) |
3172
264d9c930c17
added some more logging into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3161
diff
changeset
|
295 log.debug('extracted REMOTE_USER:%s' % (username)) |
1630
25d8e4836bc2
Improved container-based auth support for middleware
Liad Shani <liadff@gmail.com>
parents:
1628
diff
changeset
|
296 |
25d8e4836bc2
Improved container-based auth support for middleware
Liad Shani <liadff@gmail.com>
parents:
1628
diff
changeset
|
297 if not username and str2bool(config.get('proxypass_auth_enabled', False)): |
1617
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
298 username = environ.get('HTTP_X_FORWARDED_USER') |
3172
264d9c930c17
added some more logging into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3161
diff
changeset
|
299 log.debug('extracted HTTP_X_FORWARDED_USER:%s' % (username)) |
1617
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
300 |
3173
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
301 if username and clean_username: |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
302 # Removing realm and domain from username |
1617
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
303 username = username.partition('@')[0] |
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
304 username = username.rpartition('\\')[2] |
3172
264d9c930c17
added some more logging into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3161
diff
changeset
|
305 log.debug('Received username %s from container' % username) |
1617
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
306 |
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
307 return username |
1246 | 308 |
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
309 |
2030
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
310 class CookieStoreWrapper(object): |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
311 |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
312 def __init__(self, cookie_store): |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
313 self.cookie_store = cookie_store |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
314 |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
315 def __repr__(self): |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
316 return 'CookieStore<%s>' % (self.cookie_store) |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
317 |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
318 def get(self, key, other=None): |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
319 if isinstance(self.cookie_store, dict): |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
320 return self.cookie_store.get(key, other) |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
321 elif isinstance(self.cookie_store, AuthUser): |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
322 return self.cookie_store.__dict__.get(key, other) |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
323 |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
324 |
190
d8eb7ee27b4c
Added LoginRequired decorator, empty User data container, hash functions
Marcin Kuzminski <marcin@python-works.com>
parents:
96
diff
changeset
|
325 class AuthUser(object): |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
326 """ |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
327 A simple object that handles all attributes of user in RhodeCode |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
328 |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
329 It does lookup based on API key,given user, or user present in session |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
330 Then it fills all required information for such user. It also checks if |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
331 anonymous access is enabled and if so, it returns default user as logged |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
332 in |
190
d8eb7ee27b4c
Added LoginRequired decorator, empty User data container, hash functions
Marcin Kuzminski <marcin@python-works.com>
parents:
96
diff
changeset
|
333 """ |
1016
3790279d2538
#56 added propagation of permission from group
Marcin Kuzminski <marcin@python-works.com>
parents:
991
diff
changeset
|
334 |
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
335 def __init__(self, user_id=None, api_key=None, username=None, ip_addr=None): |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
336 |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
337 self.user_id = user_id |
1120
a8d759613d8f
fixed some bugs in api key auth, added access by api key into rss/atom feeds in global journal
Marcin Kuzminski <marcin@python-works.com>
parents:
1118
diff
changeset
|
338 self.api_key = None |
1617
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
339 self.username = username |
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
340 self.ip_addr = ip_addr |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
341 |
355
5bbcc0cac389
added session remove in forms, and added name and lastname to auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
350
diff
changeset
|
342 self.name = '' |
5bbcc0cac389
added session remove in forms, and added name and lastname to auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
350
diff
changeset
|
343 self.lastname = '' |
404
a10bdd0b05a7
fixed user email for gravatars
Marcin Kuzminski <marcin@python-works.com>
parents:
399
diff
changeset
|
344 self.email = '' |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
345 self.is_authenticated = False |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
346 self.admin = False |
2714
a2eaa0054430
fixed error when disabled anonymous access lead to error on server
Marcin Kuzminski <marcin@python-works.com>
parents:
2709
diff
changeset
|
347 self.inherit_default_permissions = False |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
348 self.permissions = {} |
1120
a8d759613d8f
fixed some bugs in api key auth, added access by api key into rss/atom feeds in global journal
Marcin Kuzminski <marcin@python-works.com>
parents:
1118
diff
changeset
|
349 self._api_key = api_key |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
350 self.propagate_data() |
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
351 self._instance = None |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
352 |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
353 def propagate_data(self): |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
354 user_model = UserModel() |
1728
07e56179633e
- fixes celery sqlalchemy session issues for async forking
Marcin Kuzminski <marcin@python-works.com>
parents:
1718
diff
changeset
|
355 self.anonymous_user = User.get_by_username('default', cache=True) |
1613
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
356 is_user_loaded = False |
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
357 |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
358 # try go get user by api key |
1122
31e82d872631
disabled api key for anonymous users, and added api_key to rss/atom links for other users
Marcin Kuzminski <marcin@python-works.com>
parents:
1120
diff
changeset
|
359 if self._api_key and self._api_key != self.anonymous_user.api_key: |
1976 | 360 log.debug('Auth User lookup by API KEY %s' % self._api_key) |
1618
9353189b7675
Added automatic logout of deactivated/deleted users
Liad Shani <liadff@gmail.com>
parents:
1617
diff
changeset
|
361 is_user_loaded = user_model.fill_data(self, api_key=self._api_key) |
1818
cf51bbfb120e
auto white-space removal
Marcin Kuzminski <marcin@python-works.com>
parents:
1808
diff
changeset
|
362 # lookup by userid |
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
363 elif (self.user_id is not None and |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
364 self.user_id != self.anonymous_user.user_id): |
1976 | 365 log.debug('Auth User lookup by USER ID %s' % self.user_id) |
1618
9353189b7675
Added automatic logout of deactivated/deleted users
Liad Shani <liadff@gmail.com>
parents:
1617
diff
changeset
|
366 is_user_loaded = user_model.fill_data(self, user_id=self.user_id) |
1808
ff788e390497
fix issue #323 auth by suername only if container auth is enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
1749
diff
changeset
|
367 # lookup by username |
ff788e390497
fix issue #323 auth by suername only if container auth is enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
1749
diff
changeset
|
368 elif self.username and \ |
ff788e390497
fix issue #323 auth by suername only if container auth is enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
1749
diff
changeset
|
369 str2bool(config.get('container_auth_enabled', False)): |
1818
cf51bbfb120e
auto white-space removal
Marcin Kuzminski <marcin@python-works.com>
parents:
1808
diff
changeset
|
370 |
1976 | 371 log.debug('Auth User lookup by USER NAME %s' % self.username) |
1621
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
372 dbuser = login_container_auth(self.username) |
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
373 if dbuser is not None: |
2709
d2d35cf2b351
RhodeCode now has a option to explicitly set forking permissions. ref #508
Marcin Kuzminski <marcin@python-works.com>
parents:
2634
diff
changeset
|
374 log.debug('filling all attributes to object') |
1613
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
375 for k, v in dbuser.get_dict().items(): |
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
376 setattr(self, k, v) |
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
377 self.set_authenticated() |
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
378 is_user_loaded = True |
2045
5b12cbae0b50
fixed issue with sessions that lead to redirection loops
Marcin Kuzminski <marcin@python-works.com>
parents:
2030
diff
changeset
|
379 else: |
5b12cbae0b50
fixed issue with sessions that lead to redirection loops
Marcin Kuzminski <marcin@python-works.com>
parents:
2030
diff
changeset
|
380 log.debug('No data in %s that could been used to log in' % self) |
1613
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
381 |
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
382 if not is_user_loaded: |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
383 # if we cannot authenticate user try anonymous |
3625
260a7a01b054
follow Python conventions for boolean values
Mads Kiilerich <madski@unity3d.com>
parents:
3415
diff
changeset
|
384 if self.anonymous_user.active: |
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
385 user_model.fill_data(self, user_id=self.anonymous_user.user_id) |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
386 # then we set this user is logged in |
1613
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
387 self.is_authenticated = True |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
388 else: |
1618
9353189b7675
Added automatic logout of deactivated/deleted users
Liad Shani <liadff@gmail.com>
parents:
1617
diff
changeset
|
389 self.user_id = None |
9353189b7675
Added automatic logout of deactivated/deleted users
Liad Shani <liadff@gmail.com>
parents:
1617
diff
changeset
|
390 self.username = None |
1613
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
391 self.is_authenticated = False |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
392 |
1617
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
393 if not self.username: |
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
394 self.username = 'None' |
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
395 |
1976 | 396 log.debug('Auth User is now %s' % self) |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
397 user_model.fill_perms(self) |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
398 |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
399 @property |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
400 def is_admin(self): |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
401 return self.admin |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
402 |
3146
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
403 @property |
3371
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
404 def repos_admin(self): |
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
405 """ |
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
406 Returns list of repositories you're an admin of |
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
407 """ |
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
408 return [x[0] for x in self.permissions['repositories'].iteritems() |
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
409 if x[1] == 'repository.admin'] |
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
410 |
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
411 @property |
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
412 def groups_admin(self): |
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
413 """ |
3415
b8f929bff7e3
fixed tests and missing replacements from 5f1850e4712a
Marcin Kuzminski <marcin@python-works.com>
parents:
3371
diff
changeset
|
414 Returns list of repository groups you're an admin of |
3371
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
415 """ |
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
416 return [x[0] for x in self.permissions['repositories_groups'].iteritems() |
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
417 if x[1] == 'group.admin'] |
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
418 |
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
419 @property |
3146
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
420 def ip_allowed(self): |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
421 """ |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
422 Checks if ip_addr used in constructor is allowed from defined list of |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
423 allowed ip_addresses for user |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
424 |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
425 :returns: boolean, True if ip is in allowed ip range |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
426 """ |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
427 #check IP |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
428 allowed_ips = AuthUser.get_allowed_ips(self.user_id, cache=True) |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
429 if check_ip_access(source_ip=self.ip_addr, allowed_ips=allowed_ips): |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
430 log.debug('IP:%s is in range of %s' % (self.ip_addr, allowed_ips)) |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
431 return True |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
432 else: |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
433 log.info('Access for IP:%s forbidden, ' |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
434 'not in %s' % (self.ip_addr, allowed_ips)) |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
435 return False |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
436 |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
437 def __repr__(self): |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
438 return "<AuthUser('id:%s:%s|%s')>" % (self.user_id, self.username, |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
439 self.is_authenticated) |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
440 |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
441 def set_authenticated(self, authenticated=True): |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
442 if self.user_id != self.anonymous_user.user_id: |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
443 self.is_authenticated = authenticated |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
444 |
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
445 def get_cookie_store(self): |
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
446 return {'username': self.username, |
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
447 'user_id': self.user_id, |
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
448 'is_authenticated': self.is_authenticated} |
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
449 |
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
450 @classmethod |
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
451 def from_cookie_store(cls, cookie_store): |
2030
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
452 """ |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
453 Creates AuthUser from a cookie store |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
454 |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
455 :param cls: |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
456 :param cookie_store: |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
457 """ |
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
458 user_id = cookie_store.get('user_id') |
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
459 username = cookie_store.get('username') |
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
460 api_key = cookie_store.get('api_key') |
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
461 return AuthUser(user_id, api_key, username) |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
462 |
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
463 @classmethod |
3146
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
464 def get_allowed_ips(cls, user_id, cache=False): |
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
465 _set = set() |
3146
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
466 user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id) |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
467 if cache: |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
468 user_ips = user_ips.options(FromCache("sql_cache_short", |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
469 "get_user_ips_%s" % user_id)) |
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
470 for ip in user_ips: |
3212
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
471 try: |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
472 _set.add(ip.ip_addr) |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
473 except ObjectDeletedError: |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
474 # since we use heavy caching sometimes it happens that we get |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
475 # deleted objects here, we just skip them |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
476 pass |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
477 return _set or set(['0.0.0.0/0', '::/0']) |
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
478 |
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
479 |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
480 def set_available_permissions(config): |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
481 """ |
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
482 This function will propagate pylons globals with all available defined |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
483 permission given in db. We don't want to check each time from db for new |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
484 permissions since adding a new permission also requires application restart |
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
485 ie. to decorate new views with the newly created permission |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
486 |
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
487 :param config: current pylons config instance |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
488 |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
489 """ |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
490 log.info('getting information about all available permissions') |
350
664a5b8c551a
Added application settings, are now customizable from database
Marcin Kuzminski <marcin@python-works.com>
parents:
343
diff
changeset
|
491 try: |
1749
8ecc6b8229a5
commit less models
Marcin Kuzminski <marcin@python-works.com>
parents:
1728
diff
changeset
|
492 sa = meta.Session |
350
664a5b8c551a
Added application settings, are now customizable from database
Marcin Kuzminski <marcin@python-works.com>
parents:
343
diff
changeset
|
493 all_perms = sa.query(Permission).all() |
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
494 except Exception: |
629
7e536d1af60d
Code refactoring,models renames
Marcin Kuzminski <marcin@python-works.com>
parents:
612
diff
changeset
|
495 pass |
350
664a5b8c551a
Added application settings, are now customizable from database
Marcin Kuzminski <marcin@python-works.com>
parents:
343
diff
changeset
|
496 finally: |
664a5b8c551a
Added application settings, are now customizable from database
Marcin Kuzminski <marcin@python-works.com>
parents:
343
diff
changeset
|
497 meta.Session.remove() |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
498 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
499 config['available_permissions'] = [x.permission_name for x in all_perms] |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
500 |
1246 | 501 |
502 #============================================================================== | |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
503 # CHECK DECORATORS |
1246 | 504 #============================================================================== |
190
d8eb7ee27b4c
Added LoginRequired decorator, empty User data container, hash functions
Marcin Kuzminski <marcin@python-works.com>
parents:
96
diff
changeset
|
505 class LoginRequired(object): |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
506 """ |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
507 Must be logged in to execute this function else |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
508 redirect to login page |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
509 |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
510 :param api_access: if enabled this checks only for valid auth token |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
511 and grants access based on valid token |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
512 """ |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
513 |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
514 def __init__(self, api_access=False): |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
515 self.api_access = api_access |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
516 |
190
d8eb7ee27b4c
Added LoginRequired decorator, empty User data container, hash functions
Marcin Kuzminski <marcin@python-works.com>
parents:
96
diff
changeset
|
517 def __call__(self, func): |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
518 return decorator(self.__wrapper, func) |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
519 |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
520 def __wrapper(self, func, *fargs, **fkwargs): |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
521 cls = fargs[0] |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
522 user = cls.rhodecode_user |
3146
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
523 loc = "%s:%s" % (cls.__class__.__name__, func.__name__) |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
524 |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
525 #check IP |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
526 ip_access_ok = True |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
527 if not user.ip_allowed: |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
528 from rhodecode.lib import helpers as h |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
529 h.flash(h.literal(_('IP %s not allowed' % (user.ip_addr))), |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
530 category='warning') |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
531 ip_access_ok = False |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
532 |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
533 api_access_ok = False |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
534 if self.api_access: |
1976 | 535 log.debug('Checking API KEY access for %s' % cls) |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
536 if user.api_key == request.GET.get('api_key'): |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
537 api_access_ok = True |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
538 else: |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
539 log.debug("API KEY token not valid") |
3146
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
540 |
2025
7e979933ffec
more work on improving info logging
Marcin Kuzminski <marcin@python-works.com>
parents:
2000
diff
changeset
|
541 log.debug('Checking if %s is authenticated @ %s' % (user.username, loc)) |
3146
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
542 if (user.is_authenticated or api_access_ok) and ip_access_ok: |
2458
ba49541187d9
Little more verbose logging for auth
Marcin Kuzminski <marcin@python-works.com>
parents:
2278
diff
changeset
|
543 reason = 'RegularAuth' if user.is_authenticated else 'APIAuth' |
ba49541187d9
Little more verbose logging for auth
Marcin Kuzminski <marcin@python-works.com>
parents:
2278
diff
changeset
|
544 log.info('user %s is authenticated and granted access to %s ' |
ba49541187d9
Little more verbose logging for auth
Marcin Kuzminski <marcin@python-works.com>
parents:
2278
diff
changeset
|
545 'using %s' % (user.username, loc, reason) |
2025
7e979933ffec
more work on improving info logging
Marcin Kuzminski <marcin@python-works.com>
parents:
2000
diff
changeset
|
546 ) |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
547 return func(*fargs, **fkwargs) |
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
548 else: |
2025
7e979933ffec
more work on improving info logging
Marcin Kuzminski <marcin@python-works.com>
parents:
2000
diff
changeset
|
549 log.warn('user %s NOT authenticated on func: %s' % ( |
7e979933ffec
more work on improving info logging
Marcin Kuzminski <marcin@python-works.com>
parents:
2000
diff
changeset
|
550 user, loc) |
7e979933ffec
more work on improving info logging
Marcin Kuzminski <marcin@python-works.com>
parents:
2000
diff
changeset
|
551 ) |
1207
e61b7ba293db
changed the way of generating url for came_from
Marcin Kuzminski <marcin@python-works.com>
parents:
1206
diff
changeset
|
552 p = url.current() |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
553 |
1976 | 554 log.debug('redirecting to login page with %s' % p) |
474
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
555 return redirect(url('login_home', came_from=p)) |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
556 |
1246 | 557 |
779
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
558 class NotAnonymous(object): |
1716
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
559 """ |
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
560 Must be logged in to execute this function else |
779
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
561 redirect to login page""" |
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
562 |
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
563 def __call__(self, func): |
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
564 return decorator(self.__wrapper, func) |
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
565 |
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
566 def __wrapper(self, func, *fargs, **fkwargs): |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
567 cls = fargs[0] |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
568 self.user = cls.rhodecode_user |
779
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
569 |
1976 | 570 log.debug('Checking if user is not anonymous @%s' % cls) |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
571 |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
572 anonymous = self.user.username == 'default' |
779
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
573 |
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
574 if anonymous: |
1335
40c8d18102a9
fixed redirection link in notAnonymous decorator
Marcin Kuzminski <marcin@python-works.com>
parents:
1307
diff
changeset
|
575 p = url.current() |
1056
520d27f40b51
#113 removed anonymous access from forking, added system messages in login box.
Marcin Kuzminski <marcin@python-works.com>
parents:
1040
diff
changeset
|
576 |
520d27f40b51
#113 removed anonymous access from forking, added system messages in login box.
Marcin Kuzminski <marcin@python-works.com>
parents:
1040
diff
changeset
|
577 import rhodecode.lib.helpers as h |
1246 | 578 h.flash(_('You need to be a registered user to ' |
579 'perform this action'), | |
1056
520d27f40b51
#113 removed anonymous access from forking, added system messages in login box.
Marcin Kuzminski <marcin@python-works.com>
parents:
1040
diff
changeset
|
580 category='warning') |
779
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
581 return redirect(url('login_home', came_from=p)) |
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
582 else: |
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
583 return func(*fargs, **fkwargs) |
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
584 |
1246 | 585 |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
586 class PermsDecorator(object): |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
587 """Base class for controller decorators""" |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
588 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
589 def __init__(self, *required_perms): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
590 available_perms = config['available_permissions'] |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
591 for perm in required_perms: |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
592 if perm not in available_perms: |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
593 raise Exception("'%s' permission is not defined" % perm) |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
594 self.required_perms = set(required_perms) |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
595 self.user_perms = None |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
596 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
597 def __call__(self, func): |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
598 return decorator(self.__wrapper, func) |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
599 |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
600 def __wrapper(self, func, *fargs, **fkwargs): |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
601 cls = fargs[0] |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
602 self.user = cls.rhodecode_user |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
603 self.user_perms = self.user.permissions |
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
604 log.debug('checking %s permissions %s for %s %s', |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
605 self.__class__.__name__, self.required_perms, cls, self.user) |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
606 |
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
607 if self.check_permissions(): |
1976 | 608 log.debug('Permission granted for %s %s' % (cls, self.user)) |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
609 return func(*fargs, **fkwargs) |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
610 |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
611 else: |
2025
7e979933ffec
more work on improving info logging
Marcin Kuzminski <marcin@python-works.com>
parents:
2000
diff
changeset
|
612 log.debug('Permission denied for %s %s' % (cls, self.user)) |
1336
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
613 anonymous = self.user.username == 'default' |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
614 |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
615 if anonymous: |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
616 p = url.current() |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
617 |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
618 import rhodecode.lib.helpers as h |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
619 h.flash(_('You need to be a signed in to ' |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
620 'view this page'), |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
621 category='warning') |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
622 return redirect(url('login_home', came_from=p)) |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
623 |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
624 else: |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
625 # redirect with forbidden ret code |
1336
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
626 return abort(403) |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
627 |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
628 def check_permissions(self): |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
629 """Dummy function for overriding""" |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
630 raise Exception('You have to write this function in child class') |
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
631 |
1246 | 632 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
633 class HasPermissionAllDecorator(PermsDecorator): |
1716
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
634 """ |
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
635 Checks for access permission for all given predicates. All of them |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
636 have to be meet in order to fulfill the request |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
637 """ |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
638 |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
639 def check_permissions(self): |
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
640 if self.required_perms.issubset(self.user_perms.get('global')): |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
641 return True |
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
642 return False |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
643 |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
644 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
645 class HasPermissionAnyDecorator(PermsDecorator): |
1716
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
646 """ |
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
647 Checks for access permission for any of given predicates. In order to |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
648 fulfill the request any of predicates must be meet |
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
649 """ |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
650 |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
651 def check_permissions(self): |
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
652 if self.required_perms.intersection(self.user_perms.get('global')): |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
653 return True |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
654 return False |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
655 |
1246 | 656 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
657 class HasRepoPermissionAllDecorator(PermsDecorator): |
1716
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
658 """ |
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
659 Checks for access permission for all given predicates for specific |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
660 repository. All of them have to be meet in order to fulfill the request |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
661 """ |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
662 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
663 def check_permissions(self): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
664 repo_name = get_repo_slug(request) |
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
665 try: |
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
666 user_perms = set([self.user_perms['repositories'][repo_name]]) |
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
667 except KeyError: |
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
668 return False |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
669 if self.required_perms.issubset(user_perms): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
670 return True |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
671 return False |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
672 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
673 |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
674 class HasRepoPermissionAnyDecorator(PermsDecorator): |
1716
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
675 """ |
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
676 Checks for access permission for any of given predicates for specific |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
677 repository. In order to fulfill the request any of predicates must be meet |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
678 """ |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
679 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
680 def check_permissions(self): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
681 repo_name = get_repo_slug(request) |
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
682 try: |
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
683 user_perms = set([self.user_perms['repositories'][repo_name]]) |
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
684 except KeyError: |
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
685 return False |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
686 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
687 if self.required_perms.intersection(user_perms): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
688 return True |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
689 return False |
1246 | 690 |
691 | |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
692 class HasReposGroupPermissionAllDecorator(PermsDecorator): |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
693 """ |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
694 Checks for access permission for all given predicates for specific |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
695 repository. All of them have to be meet in order to fulfill the request |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
696 """ |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
697 |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
698 def check_permissions(self): |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
699 group_name = get_repos_group_slug(request) |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
700 try: |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
701 user_perms = set([self.user_perms['repositories_groups'][group_name]]) |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
702 except KeyError: |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
703 return False |
3222
b4daef4cc26d
Group management delegation:
Marcin Kuzminski <marcin@python-works.com>
parents:
3212
diff
changeset
|
704 |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
705 if self.required_perms.issubset(user_perms): |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
706 return True |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
707 return False |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
708 |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
709 |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
710 class HasReposGroupPermissionAnyDecorator(PermsDecorator): |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
711 """ |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
712 Checks for access permission for any of given predicates for specific |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
713 repository. In order to fulfill the request any of predicates must be meet |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
714 """ |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
715 |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
716 def check_permissions(self): |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
717 group_name = get_repos_group_slug(request) |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
718 try: |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
719 user_perms = set([self.user_perms['repositories_groups'][group_name]]) |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
720 except KeyError: |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
721 return False |
3222
b4daef4cc26d
Group management delegation:
Marcin Kuzminski <marcin@python-works.com>
parents:
3212
diff
changeset
|
722 |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
723 if self.required_perms.intersection(user_perms): |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
724 return True |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
725 return False |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
726 |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
727 |
1246 | 728 #============================================================================== |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
729 # CHECK FUNCTIONS |
1246 | 730 #============================================================================== |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
731 class PermsFunction(object): |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
732 """Base function for other check functions""" |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
733 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
734 def __init__(self, *perms): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
735 available_perms = config['available_permissions'] |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
736 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
737 for perm in perms: |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
738 if perm not in available_perms: |
2105
926f55b038bc
added initial rc-extension module
Marcin Kuzminski <marcin@python-works.com>
parents:
2100
diff
changeset
|
739 raise Exception("'%s' permission is not defined" % perm) |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
740 self.required_perms = set(perms) |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
741 self.user_perms = None |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
742 self.repo_name = None |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
743 self.group_name = None |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
744 |
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
745 def __call__(self, check_location=''): |
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
746 #TODO: put user as attribute here |
1728
07e56179633e
- fixes celery sqlalchemy session issues for async forking
Marcin Kuzminski <marcin@python-works.com>
parents:
1718
diff
changeset
|
747 user = request.user |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
748 cls_name = self.__class__.__name__ |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
749 check_scope = { |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
750 'HasPermissionAll': '', |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
751 'HasPermissionAny': '', |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
752 'HasRepoPermissionAll': 'repo:%s' % self.repo_name, |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
753 'HasRepoPermissionAny': 'repo:%s' % self.repo_name, |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
754 'HasReposGroupPermissionAll': 'group:%s' % self.group_name, |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
755 'HasReposGroupPermissionAny': 'group:%s' % self.group_name, |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
756 }.get(cls_name, '?') |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
757 log.debug('checking cls:%s %s usr:%s %s @ %s', cls_name, |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
758 self.required_perms, user, check_scope, |
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
759 check_location or 'unspecified location') |
333 | 760 if not user: |
2045
5b12cbae0b50
fixed issue with sessions that lead to redirection loops
Marcin Kuzminski <marcin@python-works.com>
parents:
2030
diff
changeset
|
761 log.debug('Empty request user') |
333 | 762 return False |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
763 self.user_perms = user.permissions |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
764 if self.check_permissions(): |
3137
6c705abed11a
logging: include more info in grant/deny log entries
Mads Kiilerich <madski@unity3d.com>
parents:
3125
diff
changeset
|
765 log.debug('Permission to %s granted for user: %s @ %s', self.repo_name, user, |
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
766 check_location or 'unspecified location') |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
767 return True |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
768 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
769 else: |
3137
6c705abed11a
logging: include more info in grant/deny log entries
Mads Kiilerich <madski@unity3d.com>
parents:
3125
diff
changeset
|
770 log.debug('Permission to %s denied for user: %s @ %s', self.repo_name, user, |
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
771 check_location or 'unspecified location') |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
772 return False |
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
773 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
774 def check_permissions(self): |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
775 """Dummy function for overriding""" |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
776 raise Exception('You have to write this function in child class') |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
777 |
1246 | 778 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
779 class HasPermissionAll(PermsFunction): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
780 def check_permissions(self): |
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
781 if self.required_perms.issubset(self.user_perms.get('global')): |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
782 return True |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
783 return False |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
784 |
1246 | 785 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
786 class HasPermissionAny(PermsFunction): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
787 def check_permissions(self): |
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
788 if self.required_perms.intersection(self.user_perms.get('global')): |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
789 return True |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
790 return False |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
791 |
1246 | 792 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
793 class HasRepoPermissionAll(PermsFunction): |
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
794 def __call__(self, repo_name=None, check_location=''): |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
795 self.repo_name = repo_name |
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
796 return super(HasRepoPermissionAll, self).__call__(check_location) |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
797 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
798 def check_permissions(self): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
799 if not self.repo_name: |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
800 self.repo_name = get_repo_slug(request) |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
801 |
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
802 try: |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
803 self._user_perms = set( |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
804 [self.user_perms['repositories'][self.repo_name]] |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
805 ) |
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
806 except KeyError: |
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
807 return False |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
808 if self.required_perms.issubset(self._user_perms): |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
809 return True |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
810 return False |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
811 |
1246 | 812 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
813 class HasRepoPermissionAny(PermsFunction): |
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
814 def __call__(self, repo_name=None, check_location=''): |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
815 self.repo_name = repo_name |
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
816 return super(HasRepoPermissionAny, self).__call__(check_location) |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
817 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
818 def check_permissions(self): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
819 if not self.repo_name: |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
820 self.repo_name = get_repo_slug(request) |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
821 |
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
822 try: |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
823 self._user_perms = set( |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
824 [self.user_perms['repositories'][self.repo_name]] |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
825 ) |
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
826 except KeyError: |
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
827 return False |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
828 if self.required_perms.intersection(self._user_perms): |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
829 return True |
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
830 return False |
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
831 |
1246 | 832 |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
833 class HasReposGroupPermissionAny(PermsFunction): |
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
834 def __call__(self, group_name=None, check_location=''): |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
835 self.group_name = group_name |
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
836 return super(HasReposGroupPermissionAny, self).__call__(check_location) |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
837 |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
838 def check_permissions(self): |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
839 try: |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
840 self._user_perms = set( |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
841 [self.user_perms['repositories_groups'][self.group_name]] |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
842 ) |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
843 except KeyError: |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
844 return False |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
845 if self.required_perms.intersection(self._user_perms): |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
846 return True |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
847 return False |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
848 |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
849 |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
850 class HasReposGroupPermissionAll(PermsFunction): |
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
851 def __call__(self, group_name=None, check_location=''): |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
852 self.group_name = group_name |
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
853 return super(HasReposGroupPermissionAll, self).__call__(check_location) |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
854 |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
855 def check_permissions(self): |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
856 try: |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
857 self._user_perms = set( |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
858 [self.user_perms['repositories_groups'][self.group_name]] |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
859 ) |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
860 except KeyError: |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
861 return False |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
862 if self.required_perms.issubset(self._user_perms): |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
863 return True |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
864 return False |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
865 |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
866 |
1246 | 867 #============================================================================== |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
868 # SPECIAL VERSION TO HANDLE MIDDLEWARE AUTH |
1246 | 869 #============================================================================== |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
870 class HasPermissionAnyMiddleware(object): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
871 def __init__(self, *perms): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
872 self.required_perms = set(perms) |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
873 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
874 def __call__(self, user, repo_name): |
2100
f0649c7cf94a
fixed some unicode problems with waitress
Marcin Kuzminski <marcin@python-works.com>
parents:
2045
diff
changeset
|
875 # repo_name MUST be unicode, since we handle keys in permission |
f0649c7cf94a
fixed some unicode problems with waitress
Marcin Kuzminski <marcin@python-works.com>
parents:
2045
diff
changeset
|
876 # dict by unicode |
f0649c7cf94a
fixed some unicode problems with waitress
Marcin Kuzminski <marcin@python-works.com>
parents:
2045
diff
changeset
|
877 repo_name = safe_unicode(repo_name) |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
878 usr = AuthUser(user.user_id) |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
879 try: |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
880 self.user_perms = set([usr.permissions['repositories'][repo_name]]) |
2100
f0649c7cf94a
fixed some unicode problems with waitress
Marcin Kuzminski <marcin@python-works.com>
parents:
2045
diff
changeset
|
881 except Exception: |
2109 | 882 log.error('Exception while accessing permissions %s' % |
2100
f0649c7cf94a
fixed some unicode problems with waitress
Marcin Kuzminski <marcin@python-works.com>
parents:
2045
diff
changeset
|
883 traceback.format_exc()) |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
884 self.user_perms = set() |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
885 self.username = user.username |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
886 self.repo_name = repo_name |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
887 return self.check_permissions() |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
888 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
889 def check_permissions(self): |
2726
aa17c7a1b8a5
Implemented basic locking functionality.
Marcin Kuzminski <marcin@python-works.com>
parents:
2714
diff
changeset
|
890 log.debug('checking VCS protocol ' |
1040
8e49b6ceffe1
fixes fixes fixes ! optimized queries on journal
Marcin Kuzminski <marcin@python-works.com>
parents:
1036
diff
changeset
|
891 'permissions %s for user:%s repository:%s', self.user_perms, |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
892 self.username, self.repo_name) |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
893 if self.required_perms.intersection(self.user_perms): |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
894 log.debug('permission granted for user:%s on repo:%s' % ( |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
895 self.username, self.repo_name |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
896 ) |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
897 ) |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
898 return True |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
899 log.debug('permission denied for user:%s on repo:%s' % ( |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
900 self.username, self.repo_name |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
901 ) |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
902 ) |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
903 return False |
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
904 |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
905 |
3161
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
906 #============================================================================== |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
907 # SPECIAL VERSION TO HANDLE API AUTH |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
908 #============================================================================== |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
909 class _BaseApiPerm(object): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
910 def __init__(self, *perms): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
911 self.required_perms = set(perms) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
912 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
913 def __call__(self, check_location='unspecified', user=None, repo_name=None): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
914 cls_name = self.__class__.__name__ |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
915 check_scope = 'user:%s, repo:%s' % (user, repo_name) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
916 log.debug('checking cls:%s %s %s @ %s', cls_name, |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
917 self.required_perms, check_scope, check_location) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
918 if not user: |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
919 log.debug('Empty User passed into arguments') |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
920 return False |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
921 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
922 ## process user |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
923 if not isinstance(user, AuthUser): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
924 user = AuthUser(user.user_id) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
925 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
926 if self.check_permissions(user.permissions, repo_name): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
927 log.debug('Permission to %s granted for user: %s @ %s', repo_name, |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
928 user, check_location) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
929 return True |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
930 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
931 else: |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
932 log.debug('Permission to %s denied for user: %s @ %s', repo_name, |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
933 user, check_location) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
934 return False |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
935 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
936 def check_permissions(self, perm_defs, repo_name): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
937 """ |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
938 implement in child class should return True if permissions are ok, |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
939 False otherwise |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
940 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
941 :param perm_defs: dict with permission definitions |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
942 :param repo_name: repo name |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
943 """ |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
944 raise NotImplementedError() |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
945 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
946 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
947 class HasPermissionAllApi(_BaseApiPerm): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
948 def __call__(self, user, check_location=''): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
949 return super(HasPermissionAllApi, self)\ |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
950 .__call__(check_location=check_location, user=user) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
951 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
952 def check_permissions(self, perm_defs, repo): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
953 if self.required_perms.issubset(perm_defs.get('global')): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
954 return True |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
955 return False |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
956 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
957 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
958 class HasPermissionAnyApi(_BaseApiPerm): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
959 def __call__(self, user, check_location=''): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
960 return super(HasPermissionAnyApi, self)\ |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
961 .__call__(check_location=check_location, user=user) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
962 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
963 def check_permissions(self, perm_defs, repo): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
964 if self.required_perms.intersection(perm_defs.get('global')): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
965 return True |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
966 return False |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
967 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
968 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
969 class HasRepoPermissionAllApi(_BaseApiPerm): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
970 def __call__(self, user, repo_name, check_location=''): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
971 return super(HasRepoPermissionAllApi, self)\ |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
972 .__call__(check_location=check_location, user=user, |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
973 repo_name=repo_name) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
974 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
975 def check_permissions(self, perm_defs, repo_name): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
976 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
977 try: |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
978 self._user_perms = set( |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
979 [perm_defs['repositories'][repo_name]] |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
980 ) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
981 except KeyError: |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
982 log.warning(traceback.format_exc()) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
983 return False |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
984 if self.required_perms.issubset(self._user_perms): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
985 return True |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
986 return False |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
987 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
988 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
989 class HasRepoPermissionAnyApi(_BaseApiPerm): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
990 def __call__(self, user, repo_name, check_location=''): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
991 return super(HasRepoPermissionAnyApi, self)\ |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
992 .__call__(check_location=check_location, user=user, |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
993 repo_name=repo_name) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
994 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
995 def check_permissions(self, perm_defs, repo_name): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
996 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
997 try: |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
998 _user_perms = set( |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
999 [perm_defs['repositories'][repo_name]] |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1000 ) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1001 except KeyError: |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1002 log.warning(traceback.format_exc()) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1003 return False |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1004 if self.required_perms.intersection(_user_perms): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1005 return True |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1006 return False |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1007 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1008 |
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1009 def check_ip_access(source_ip, allowed_ips=None): |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1010 """ |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1011 Checks if source_ip is a subnet of any of allowed_ips. |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1012 |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1013 :param source_ip: |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1014 :param allowed_ips: list of allowed ips together with mask |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1015 """ |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1016 from rhodecode.lib import ipaddr |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1017 log.debug('checking if ip:%s is subnet of %s' % (source_ip, allowed_ips)) |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1018 if isinstance(allowed_ips, (tuple, list, set)): |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1019 for ip in allowed_ips: |
3212
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1020 try: |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1021 if ipaddr.IPAddress(source_ip) in ipaddr.IPNetwork(ip): |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1022 return True |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1023 # for any case we cannot determine the IP, don't crash just |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1024 # skip it and log as error, we want to say forbidden still when |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1025 # sending bad IP |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1026 except Exception: |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1027 log.error(traceback.format_exc()) |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1028 continue |
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1029 return False |