Mercurial > kallithea
annotate rhodecode/lib/auth.py @ 3229:aad51f79d040 beta
added a flag for generating pull-request comments, and force display on pull-requests
author | Marcin Kuzminski <marcin@python-works.com> |
---|---|
date | Sat, 26 Jan 2013 21:21:11 +0100 |
parents | b4daef4cc26d |
children | 14697de1598f |
rev | line source |
---|---|
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
1 # -*- coding: utf-8 -*- |
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
2 """ |
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
3 rhodecode.lib.auth |
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
4 ~~~~~~~~~~~~~~~~~~ |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
5 |
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
6 authentication and permission libraries |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
7 |
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
8 :created_on: Apr 4, 2010 |
1824
89efedac4e6c
2012 copyrights
Marcin Kuzminski <marcin@python-works.com>
parents:
1818
diff
changeset
|
9 :author: marcink |
89efedac4e6c
2012 copyrights
Marcin Kuzminski <marcin@python-works.com>
parents:
1818
diff
changeset
|
10 :copyright: (C) 2010-2012 Marcin Kuzminski <marcin@python-works.com> |
1532
2afe9320d5e6
updated docstrings
Marcin Kuzminski <marcin@python-works.com>
parents:
1530
diff
changeset
|
11 :license: GPLv3, see COPYING for more details. |
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
12 """ |
1206
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
13 # This program is free software: you can redistribute it and/or modify |
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
14 # it under the terms of the GNU General Public License as published by |
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
15 # the Free Software Foundation, either version 3 of the License, or |
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
16 # (at your option) any later version. |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
17 # |
252
3782a6d698af
licensing updates, code cleanups
Marcin Kuzminski <marcin@python-works.com>
parents:
239
diff
changeset
|
18 # This program is distributed in the hope that it will be useful, |
3782a6d698af
licensing updates, code cleanups
Marcin Kuzminski <marcin@python-works.com>
parents:
239
diff
changeset
|
19 # but WITHOUT ANY WARRANTY; without even the implied warranty of |
3782a6d698af
licensing updates, code cleanups
Marcin Kuzminski <marcin@python-works.com>
parents:
239
diff
changeset
|
20 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
3782a6d698af
licensing updates, code cleanups
Marcin Kuzminski <marcin@python-works.com>
parents:
239
diff
changeset
|
21 # GNU General Public License for more details. |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
22 # |
252
3782a6d698af
licensing updates, code cleanups
Marcin Kuzminski <marcin@python-works.com>
parents:
239
diff
changeset
|
23 # You should have received a copy of the GNU General Public License |
1206
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
24 # along with this program. If not, see <http://www.gnu.org/licenses/>. |
381
55377fdc1fc6
cleared global application settings.
Marcin Kuzminski <marcin@python-works.com>
parents:
380
diff
changeset
|
25 |
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
26 import random |
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
27 import logging |
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
28 import traceback |
1116
716911af91e1
Added api_key into user, api key get's generated again after password change
Marcin Kuzminski <marcin@python-works.com>
parents:
1056
diff
changeset
|
29 import hashlib |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
30 |
1116
716911af91e1
Added api_key into user, api key get's generated again after password change
Marcin Kuzminski <marcin@python-works.com>
parents:
1056
diff
changeset
|
31 from tempfile import _RandomNameSequence |
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
32 from decorator import decorator |
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
33 |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
34 from pylons import config, url, request |
52 | 35 from pylons.controllers.util import abort, redirect |
1056
520d27f40b51
#113 removed anonymous access from forking, added system messages in login box.
Marcin Kuzminski <marcin@python-works.com>
parents:
1040
diff
changeset
|
36 from pylons.i18n.translation import _ |
3212
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
37 from sqlalchemy.orm.exc import ObjectDeletedError |
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
38 |
2634
4b17216f2110
Deprecated validation of operating system, we just care if it's windows, let approve all other
Marcin Kuzminski <marcin@python-works.com>
parents:
2479
diff
changeset
|
39 from rhodecode import __platform__, is_windows, is_unix |
1749
8ecc6b8229a5
commit less models
Marcin Kuzminski <marcin@python-works.com>
parents:
1728
diff
changeset
|
40 from rhodecode.model.meta import Session |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
41 |
2109 | 42 from rhodecode.lib.utils2 import str2bool, safe_unicode |
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
43 from rhodecode.lib.exceptions import LdapPasswordError, LdapUsernameError |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
44 from rhodecode.lib.utils import get_repo_slug, get_repos_group_slug |
713
1bb0fcdec895
fixed #72 show warning on removal when user still is owner of existing repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
705
diff
changeset
|
45 from rhodecode.lib.auth_ldap import AuthLdap |
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
46 |
547
1e757ac98988
renamed project to rhodecode
Marcin Kuzminski <marcin@python-works.com>
parents:
508
diff
changeset
|
47 from rhodecode.model import meta |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
48 from rhodecode.model.user import UserModel |
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
49 from rhodecode.model.db import Permission, RhodeCodeSetting, User, UserIpMap |
3146
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
50 from rhodecode.lib.caching_query import FromCache |
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
51 |
1246 | 52 log = logging.getLogger(__name__) |
343
6484963056cd
implemented cache for repeated queries in simplehg mercurial requests
Marcin Kuzminski <marcin@python-works.com>
parents:
339
diff
changeset
|
53 |
41
71ffa932799d
Added app basic auth.
Marcin Kuzminski <marcin@python-blog.com>
parents:
diff
changeset
|
54 |
474
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
55 class PasswordGenerator(object): |
1716
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
56 """ |
1818
cf51bbfb120e
auto white-space removal
Marcin Kuzminski <marcin@python-works.com>
parents:
1808
diff
changeset
|
57 This is a simple class for generating password from different sets of |
1716
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
58 characters |
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
59 usage:: |
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
60 |
474
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
61 passwd_gen = PasswordGenerator() |
1246 | 62 #print 8-letter password containing only big and small letters |
63 of alphabet | |
2278
24095abde696
print statement cleanup
Marcin Kuzminski <marcin@python-works.com>
parents:
2125
diff
changeset
|
64 passwd_gen.gen_password(8, passwd_gen.ALPHABETS_BIG_SMALL) |
474
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
65 """ |
1246 | 66 ALPHABETS_NUM = r'''1234567890''' |
67 ALPHABETS_SMALL = r'''qwertyuiopasdfghjklzxcvbnm''' | |
68 ALPHABETS_BIG = r'''QWERTYUIOPASDFGHJKLZXCVBNM''' | |
69 ALPHABETS_SPECIAL = r'''`-=[]\;',./~!@#$%^&*()_+{}|:"<>?''' | |
70 ALPHABETS_FULL = ALPHABETS_BIG + ALPHABETS_SMALL \ | |
71 + ALPHABETS_NUM + ALPHABETS_SPECIAL | |
72 ALPHABETS_ALPHANUM = ALPHABETS_BIG + ALPHABETS_SMALL + ALPHABETS_NUM | |
474
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
73 ALPHABETS_BIG_SMALL = ALPHABETS_BIG + ALPHABETS_SMALL |
1246 | 74 ALPHABETS_ALPHANUM_BIG = ALPHABETS_BIG + ALPHABETS_NUM |
75 ALPHABETS_ALPHANUM_SMALL = ALPHABETS_SMALL + ALPHABETS_NUM | |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
76 |
474
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
77 def __init__(self, passwd=''): |
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
78 self.passwd = passwd |
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
79 |
1993
4d3179d2adfe
added optional password type in password generator
Marcin Kuzminski <marcin@python-works.com>
parents:
1992
diff
changeset
|
80 def gen_password(self, length, type_=None): |
4d3179d2adfe
added optional password type in password generator
Marcin Kuzminski <marcin@python-works.com>
parents:
1992
diff
changeset
|
81 if type_ is None: |
4d3179d2adfe
added optional password type in password generator
Marcin Kuzminski <marcin@python-works.com>
parents:
1992
diff
changeset
|
82 type_ = self.ALPHABETS_FULL |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
83 self.passwd = ''.join([random.choice(type_) for _ in xrange(length)]) |
474
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
84 return self.passwd |
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
85 |
1246 | 86 |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
87 class RhodeCodeCrypto(object): |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
88 |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
89 @classmethod |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
90 def hash_string(cls, str_): |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
91 """ |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
92 Cryptographic function used for password hashing based on pybcrypt |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
93 or pycrypto in windows |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
94 |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
95 :param password: password to hash |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
96 """ |
2634
4b17216f2110
Deprecated validation of operating system, we just care if it's windows, let approve all other
Marcin Kuzminski <marcin@python-works.com>
parents:
2479
diff
changeset
|
97 if is_windows: |
2479
9225597688f4
Added validation into user email map
Marcin Kuzminski <marcin@python-works.com>
parents:
2458
diff
changeset
|
98 from hashlib import sha256 |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
99 return sha256(str_).hexdigest() |
2634
4b17216f2110
Deprecated validation of operating system, we just care if it's windows, let approve all other
Marcin Kuzminski <marcin@python-works.com>
parents:
2479
diff
changeset
|
100 elif is_unix: |
2479
9225597688f4
Added validation into user email map
Marcin Kuzminski <marcin@python-works.com>
parents:
2458
diff
changeset
|
101 import bcrypt |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
102 return bcrypt.hashpw(str_, bcrypt.gensalt(10)) |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
103 else: |
1246 | 104 raise Exception('Unknown or unsupported platform %s' \ |
105 % __platform__) | |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
106 |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
107 @classmethod |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
108 def hash_check(cls, password, hashed): |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
109 """ |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
110 Checks matching password with it's hashed value, runs different |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
111 implementation based on platform it runs on |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
112 |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
113 :param password: password |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
114 :param hashed: password in hashed form |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
115 """ |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
116 |
2634
4b17216f2110
Deprecated validation of operating system, we just care if it's windows, let approve all other
Marcin Kuzminski <marcin@python-works.com>
parents:
2479
diff
changeset
|
117 if is_windows: |
2479
9225597688f4
Added validation into user email map
Marcin Kuzminski <marcin@python-works.com>
parents:
2458
diff
changeset
|
118 from hashlib import sha256 |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
119 return sha256(password).hexdigest() == hashed |
2634
4b17216f2110
Deprecated validation of operating system, we just care if it's windows, let approve all other
Marcin Kuzminski <marcin@python-works.com>
parents:
2479
diff
changeset
|
120 elif is_unix: |
2479
9225597688f4
Added validation into user email map
Marcin Kuzminski <marcin@python-works.com>
parents:
2458
diff
changeset
|
121 import bcrypt |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
122 return bcrypt.hashpw(password, hashed) == hashed |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
123 else: |
1246 | 124 raise Exception('Unknown or unsupported platform %s' \ |
125 % __platform__) | |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
126 |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
127 |
64
08707974eae4
Changed auth lib for sqlalchemy
Marcin Kuzminski <marcin@python-blog.com>
parents:
52
diff
changeset
|
128 def get_crypt_password(password): |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
129 return RhodeCodeCrypto.hash_string(password) |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
130 |
1246 | 131 |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
132 def check_password(password, hashed): |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
133 return RhodeCodeCrypto.hash_check(password, hashed) |
415
04e8b31fb245
Changed password crypting scheme to bcrypt, added dependency for setup
Marcin Kuzminski <marcin@python-works.com>
parents:
412
diff
changeset
|
134 |
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
135 |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
136 def generate_api_key(str_, salt=None): |
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
137 """ |
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
138 Generates API KEY from given string |
1818
cf51bbfb120e
auto white-space removal
Marcin Kuzminski <marcin@python-works.com>
parents:
1808
diff
changeset
|
139 |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
140 :param str_: |
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
141 :param salt: |
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
142 """ |
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
143 |
1116
716911af91e1
Added api_key into user, api key get's generated again after password change
Marcin Kuzminski <marcin@python-works.com>
parents:
1056
diff
changeset
|
144 if salt is None: |
716911af91e1
Added api_key into user, api key get's generated again after password change
Marcin Kuzminski <marcin@python-works.com>
parents:
1056
diff
changeset
|
145 salt = _RandomNameSequence().next() |
716911af91e1
Added api_key into user, api key get's generated again after password change
Marcin Kuzminski <marcin@python-works.com>
parents:
1056
diff
changeset
|
146 |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
147 return hashlib.sha1(str_ + salt).hexdigest() |
1116
716911af91e1
Added api_key into user, api key get's generated again after password change
Marcin Kuzminski <marcin@python-works.com>
parents:
1056
diff
changeset
|
148 |
1246 | 149 |
41
71ffa932799d
Added app basic auth.
Marcin Kuzminski <marcin@python-blog.com>
parents:
diff
changeset
|
150 def authfunc(environ, username, password): |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
151 """ |
1818
cf51bbfb120e
auto white-space removal
Marcin Kuzminski <marcin@python-works.com>
parents:
1808
diff
changeset
|
152 Dummy authentication wrapper function used in Mercurial and Git for |
1644 | 153 access control. |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
154 |
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
155 :param environ: needed only for using in Basic auth |
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
156 """ |
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
157 return authenticate(username, password) |
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
158 |
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
159 |
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
160 def authenticate(username, password): |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
161 """ |
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
162 Authentication function used for access control, |
699
52da7cba88a6
Code refactor for auth func, preparing for ldap support
Marcin Kuzminski <marcin@python-works.com>
parents:
692
diff
changeset
|
163 firstly checks for db authentication then if ldap is enabled for ldap |
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
164 authentication, also creates ldap user if not in database |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
165 |
699
52da7cba88a6
Code refactor for auth func, preparing for ldap support
Marcin Kuzminski <marcin@python-works.com>
parents:
692
diff
changeset
|
166 :param username: username |
52da7cba88a6
Code refactor for auth func, preparing for ldap support
Marcin Kuzminski <marcin@python-works.com>
parents:
692
diff
changeset
|
167 :param password: password |
52da7cba88a6
Code refactor for auth func, preparing for ldap support
Marcin Kuzminski <marcin@python-works.com>
parents:
692
diff
changeset
|
168 """ |
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
169 |
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
170 user_model = UserModel() |
1530
04027bdb876c
Refactoring of model get functions
Marcin Kuzminski <marcin@python-works.com>
parents:
1425
diff
changeset
|
171 user = User.get_by_username(username) |
699
52da7cba88a6
Code refactor for auth func, preparing for ldap support
Marcin Kuzminski <marcin@python-works.com>
parents:
692
diff
changeset
|
172 |
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
173 log.debug('Authenticating user using RhodeCode account') |
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
895
diff
changeset
|
174 if user is not None and not user.ldap_dn: |
64
08707974eae4
Changed auth lib for sqlalchemy
Marcin Kuzminski <marcin@python-blog.com>
parents:
52
diff
changeset
|
175 if user.active: |
674
99875a8f2ad1
#49 Enabled anonymous access push and pull commands
Marcin Kuzminski <marcin@python-works.com>
parents:
673
diff
changeset
|
176 if user.username == 'default' and user.active: |
2025
7e979933ffec
more work on improving info logging
Marcin Kuzminski <marcin@python-works.com>
parents:
2000
diff
changeset
|
177 log.info('user %s authenticated correctly as anonymous user' % |
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
178 username) |
674
99875a8f2ad1
#49 Enabled anonymous access push and pull commands
Marcin Kuzminski <marcin@python-works.com>
parents:
673
diff
changeset
|
179 return True |
99875a8f2ad1
#49 Enabled anonymous access push and pull commands
Marcin Kuzminski <marcin@python-works.com>
parents:
673
diff
changeset
|
180 |
1246 | 181 elif user.username == username and check_password(password, |
182 user.password): | |
1976 | 183 log.info('user %s authenticated correctly' % username) |
41
71ffa932799d
Added app basic auth.
Marcin Kuzminski <marcin@python-blog.com>
parents:
diff
changeset
|
184 return True |
71ffa932799d
Added app basic auth.
Marcin Kuzminski <marcin@python-blog.com>
parents:
diff
changeset
|
185 else: |
2025
7e979933ffec
more work on improving info logging
Marcin Kuzminski <marcin@python-works.com>
parents:
2000
diff
changeset
|
186 log.warning('user %s tried auth but is disabled' % username) |
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
187 |
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
188 else: |
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
189 log.debug('Regular authentication failed') |
1530
04027bdb876c
Refactoring of model get functions
Marcin Kuzminski <marcin@python-works.com>
parents:
1425
diff
changeset
|
190 user_obj = User.get_by_username(username, case_insensitive=True) |
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
191 |
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
895
diff
changeset
|
192 if user_obj is not None and not user_obj.ldap_dn: |
749
fcd4fb51526e
added debug message for ldap auth
Marcin Kuzminski <marcin@python-works.com>
parents:
748
diff
changeset
|
193 log.debug('this user already exists as non ldap') |
748
88338675a0f7
fixed ldap issue and small template fix
Marcin Kuzminski <marcin@python-works.com>
parents:
742
diff
changeset
|
194 return False |
88338675a0f7
fixed ldap issue and small template fix
Marcin Kuzminski <marcin@python-works.com>
parents:
742
diff
changeset
|
195 |
1633
2c0d35e336b5
refactoring of models names for repoGroup permissions
Marcin Kuzminski <marcin@python-works.com>
parents:
1630
diff
changeset
|
196 ldap_settings = RhodeCodeSetting.get_ldap_settings() |
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
197 #====================================================================== |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
198 # FALLBACK TO LDAP AUTH IF ENABLE |
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
199 #====================================================================== |
1135
1aa1655bf019
fixed some config bool converter problems with ldap
Marcin Kuzminski <marcin@python-works.com>
parents:
1122
diff
changeset
|
200 if str2bool(ldap_settings.get('ldap_active')): |
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
201 log.debug("Authenticating user using ldap") |
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
202 kwargs = { |
1246 | 203 'server': ldap_settings.get('ldap_host', ''), |
204 'base_dn': ldap_settings.get('ldap_base_dn', ''), | |
205 'port': ldap_settings.get('ldap_port'), | |
206 'bind_dn': ldap_settings.get('ldap_dn_user'), | |
207 'bind_pass': ldap_settings.get('ldap_dn_pass'), | |
1290
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1288
diff
changeset
|
208 'tls_kind': ldap_settings.get('ldap_tls_kind'), |
1246 | 209 'tls_reqcert': ldap_settings.get('ldap_tls_reqcert'), |
210 'ldap_filter': ldap_settings.get('ldap_filter'), | |
211 'search_scope': ldap_settings.get('ldap_search_scope'), | |
212 'attr_login': ldap_settings.get('ldap_attr_login'), | |
213 'ldap_version': 3, | |
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
214 } |
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
215 log.debug('Checking for ldap authentication') |
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
216 try: |
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
217 aldap = AuthLdap(**kwargs) |
1246 | 218 (user_dn, ldap_attrs) = aldap.authenticate_ldap(username, |
219 password) | |
1976 | 220 log.debug('Got ldap DN response %s' % user_dn) |
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
221 |
1307 | 222 get_ldap_attr = lambda k: ldap_attrs.get(ldap_settings\ |
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
223 .get(k), [''])[0] |
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
224 |
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
895
diff
changeset
|
225 user_attrs = { |
1425
3dedf3991d40
fixes #173, many thanks for slestak for contributing into this one.
Marcin Kuzminski <marcin@python-works.com>
parents:
1336
diff
changeset
|
226 'name': safe_unicode(get_ldap_attr('ldap_attr_firstname')), |
3dedf3991d40
fixes #173, many thanks for slestak for contributing into this one.
Marcin Kuzminski <marcin@python-works.com>
parents:
1336
diff
changeset
|
227 'lastname': safe_unicode(get_ldap_attr('ldap_attr_lastname')), |
3dedf3991d40
fixes #173, many thanks for slestak for contributing into this one.
Marcin Kuzminski <marcin@python-works.com>
parents:
1336
diff
changeset
|
228 'email': get_ldap_attr('ldap_attr_email'), |
3dedf3991d40
fixes #173, many thanks for slestak for contributing into this one.
Marcin Kuzminski <marcin@python-works.com>
parents:
1336
diff
changeset
|
229 } |
2000
72c525a7e7ad
added migrations from 1.2.X to 1.3
Marcin Kuzminski <marcin@python-works.com>
parents:
1993
diff
changeset
|
230 |
72c525a7e7ad
added migrations from 1.2.X to 1.3
Marcin Kuzminski <marcin@python-works.com>
parents:
1993
diff
changeset
|
231 # don't store LDAP password since we don't need it. Override |
1992
335b55caa81d
#355 replaced stored LDAP password with some random generated one
Marcin Kuzminski <marcin@python-works.com>
parents:
1982
diff
changeset
|
232 # with some random generated password |
335b55caa81d
#355 replaced stored LDAP password with some random generated one
Marcin Kuzminski <marcin@python-works.com>
parents:
1982
diff
changeset
|
233 _password = PasswordGenerator().gen_password(length=8) |
335b55caa81d
#355 replaced stored LDAP password with some random generated one
Marcin Kuzminski <marcin@python-works.com>
parents:
1982
diff
changeset
|
234 # create this user on the fly if it doesn't exist in rhodecode |
335b55caa81d
#355 replaced stored LDAP password with some random generated one
Marcin Kuzminski <marcin@python-works.com>
parents:
1982
diff
changeset
|
235 # database |
335b55caa81d
#355 replaced stored LDAP password with some random generated one
Marcin Kuzminski <marcin@python-works.com>
parents:
1982
diff
changeset
|
236 if user_model.create_ldap(username, _password, user_dn, |
1246 | 237 user_attrs): |
1976 | 238 log.info('created new ldap user %s' % username) |
1818
cf51bbfb120e
auto white-space removal
Marcin Kuzminski <marcin@python-works.com>
parents:
1808
diff
changeset
|
239 |
2634
4b17216f2110
Deprecated validation of operating system, we just care if it's windows, let approve all other
Marcin Kuzminski <marcin@python-works.com>
parents:
2479
diff
changeset
|
240 Session().commit() |
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
241 return True |
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
242 except (LdapUsernameError, LdapPasswordError,): |
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
243 pass |
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
244 except (Exception,): |
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
245 log.error(traceback.format_exc()) |
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
246 pass |
41
71ffa932799d
Added app basic auth.
Marcin Kuzminski <marcin@python-blog.com>
parents:
diff
changeset
|
247 return False |
71ffa932799d
Added app basic auth.
Marcin Kuzminski <marcin@python-blog.com>
parents:
diff
changeset
|
248 |
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
249 |
1621
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
250 def login_container_auth(username): |
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
251 user = User.get_by_username(username) |
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
252 if user is None: |
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
253 user_attrs = { |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
254 'name': username, |
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
255 'lastname': None, |
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
256 'email': None, |
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
257 } |
1749
8ecc6b8229a5
commit less models
Marcin Kuzminski <marcin@python-works.com>
parents:
1728
diff
changeset
|
258 user = UserModel().create_for_container_auth(username, user_attrs) |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
259 if not user: |
1621
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
260 return None |
1976 | 261 log.info('User %s was created by container authentication' % username) |
1621
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
262 |
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
263 if not user.active: |
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
264 return None |
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
265 |
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
266 user.update_lastlogin() |
2634
4b17216f2110
Deprecated validation of operating system, we just care if it's windows, let approve all other
Marcin Kuzminski <marcin@python-works.com>
parents:
2479
diff
changeset
|
267 Session().commit() |
1818
cf51bbfb120e
auto white-space removal
Marcin Kuzminski <marcin@python-works.com>
parents:
1808
diff
changeset
|
268 |
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
269 log.debug('User %s is now logged in by container authentication', |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
270 user.username) |
1621
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
271 return user |
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
272 |
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
273 |
3173
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
274 def get_container_username(environ, config, clean_username=False): |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
275 """ |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
276 Get's the container_auth username (or email). It tries to get username |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
277 from REMOTE_USER if container_auth_enabled is enabled, if that fails |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
278 it tries to get username from HTTP_X_FORWARDED_USER if proxypass_auth_enabled |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
279 is enabled. clean_username extracts the username from this data if it's |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
280 having @ in it. |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
281 |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
282 :param environ: |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
283 :param config: |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
284 :param clean_username: |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
285 """ |
1630
25d8e4836bc2
Improved container-based auth support for middleware
Liad Shani <liadff@gmail.com>
parents:
1628
diff
changeset
|
286 username = None |
1621
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
287 |
1630
25d8e4836bc2
Improved container-based auth support for middleware
Liad Shani <liadff@gmail.com>
parents:
1628
diff
changeset
|
288 if str2bool(config.get('container_auth_enabled', False)): |
25d8e4836bc2
Improved container-based auth support for middleware
Liad Shani <liadff@gmail.com>
parents:
1628
diff
changeset
|
289 from paste.httpheaders import REMOTE_USER |
25d8e4836bc2
Improved container-based auth support for middleware
Liad Shani <liadff@gmail.com>
parents:
1628
diff
changeset
|
290 username = REMOTE_USER(environ) |
3172
264d9c930c17
added some more logging into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3161
diff
changeset
|
291 log.debug('extracted REMOTE_USER:%s' % (username)) |
1630
25d8e4836bc2
Improved container-based auth support for middleware
Liad Shani <liadff@gmail.com>
parents:
1628
diff
changeset
|
292 |
25d8e4836bc2
Improved container-based auth support for middleware
Liad Shani <liadff@gmail.com>
parents:
1628
diff
changeset
|
293 if not username and str2bool(config.get('proxypass_auth_enabled', False)): |
1617
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
294 username = environ.get('HTTP_X_FORWARDED_USER') |
3172
264d9c930c17
added some more logging into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3161
diff
changeset
|
295 log.debug('extracted HTTP_X_FORWARDED_USER:%s' % (username)) |
1617
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
296 |
3173
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
297 if username and clean_username: |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
298 # Removing realm and domain from username |
1617
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
299 username = username.partition('@')[0] |
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
300 username = username.rpartition('\\')[2] |
3172
264d9c930c17
added some more logging into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3161
diff
changeset
|
301 log.debug('Received username %s from container' % username) |
1617
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
302 |
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
303 return username |
1246 | 304 |
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
305 |
2030
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
306 class CookieStoreWrapper(object): |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
307 |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
308 def __init__(self, cookie_store): |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
309 self.cookie_store = cookie_store |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
310 |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
311 def __repr__(self): |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
312 return 'CookieStore<%s>' % (self.cookie_store) |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
313 |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
314 def get(self, key, other=None): |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
315 if isinstance(self.cookie_store, dict): |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
316 return self.cookie_store.get(key, other) |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
317 elif isinstance(self.cookie_store, AuthUser): |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
318 return self.cookie_store.__dict__.get(key, other) |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
319 |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
320 |
190
d8eb7ee27b4c
Added LoginRequired decorator, empty User data container, hash functions
Marcin Kuzminski <marcin@python-works.com>
parents:
96
diff
changeset
|
321 class AuthUser(object): |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
322 """ |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
323 A simple object that handles all attributes of user in RhodeCode |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
324 |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
325 It does lookup based on API key,given user, or user present in session |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
326 Then it fills all required information for such user. It also checks if |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
327 anonymous access is enabled and if so, it returns default user as logged |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
328 in |
190
d8eb7ee27b4c
Added LoginRequired decorator, empty User data container, hash functions
Marcin Kuzminski <marcin@python-works.com>
parents:
96
diff
changeset
|
329 """ |
1016
3790279d2538
#56 added propagation of permission from group
Marcin Kuzminski <marcin@python-works.com>
parents:
991
diff
changeset
|
330 |
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
331 def __init__(self, user_id=None, api_key=None, username=None, ip_addr=None): |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
332 |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
333 self.user_id = user_id |
1120
a8d759613d8f
fixed some bugs in api key auth, added access by api key into rss/atom feeds in global journal
Marcin Kuzminski <marcin@python-works.com>
parents:
1118
diff
changeset
|
334 self.api_key = None |
1617
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
335 self.username = username |
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
336 self.ip_addr = ip_addr |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
337 |
355
5bbcc0cac389
added session remove in forms, and added name and lastname to auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
350
diff
changeset
|
338 self.name = '' |
5bbcc0cac389
added session remove in forms, and added name and lastname to auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
350
diff
changeset
|
339 self.lastname = '' |
404
a10bdd0b05a7
fixed user email for gravatars
Marcin Kuzminski <marcin@python-works.com>
parents:
399
diff
changeset
|
340 self.email = '' |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
341 self.is_authenticated = False |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
342 self.admin = False |
2714
a2eaa0054430
fixed error when disabled anonymous access lead to error on server
Marcin Kuzminski <marcin@python-works.com>
parents:
2709
diff
changeset
|
343 self.inherit_default_permissions = False |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
344 self.permissions = {} |
1120
a8d759613d8f
fixed some bugs in api key auth, added access by api key into rss/atom feeds in global journal
Marcin Kuzminski <marcin@python-works.com>
parents:
1118
diff
changeset
|
345 self._api_key = api_key |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
346 self.propagate_data() |
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
347 self._instance = None |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
348 |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
349 def propagate_data(self): |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
350 user_model = UserModel() |
1728
07e56179633e
- fixes celery sqlalchemy session issues for async forking
Marcin Kuzminski <marcin@python-works.com>
parents:
1718
diff
changeset
|
351 self.anonymous_user = User.get_by_username('default', cache=True) |
1613
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
352 is_user_loaded = False |
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
353 |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
354 # try go get user by api key |
1122
31e82d872631
disabled api key for anonymous users, and added api_key to rss/atom links for other users
Marcin Kuzminski <marcin@python-works.com>
parents:
1120
diff
changeset
|
355 if self._api_key and self._api_key != self.anonymous_user.api_key: |
1976 | 356 log.debug('Auth User lookup by API KEY %s' % self._api_key) |
1618
9353189b7675
Added automatic logout of deactivated/deleted users
Liad Shani <liadff@gmail.com>
parents:
1617
diff
changeset
|
357 is_user_loaded = user_model.fill_data(self, api_key=self._api_key) |
1818
cf51bbfb120e
auto white-space removal
Marcin Kuzminski <marcin@python-works.com>
parents:
1808
diff
changeset
|
358 # lookup by userid |
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
359 elif (self.user_id is not None and |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
360 self.user_id != self.anonymous_user.user_id): |
1976 | 361 log.debug('Auth User lookup by USER ID %s' % self.user_id) |
1618
9353189b7675
Added automatic logout of deactivated/deleted users
Liad Shani <liadff@gmail.com>
parents:
1617
diff
changeset
|
362 is_user_loaded = user_model.fill_data(self, user_id=self.user_id) |
1808
ff788e390497
fix issue #323 auth by suername only if container auth is enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
1749
diff
changeset
|
363 # lookup by username |
ff788e390497
fix issue #323 auth by suername only if container auth is enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
1749
diff
changeset
|
364 elif self.username and \ |
ff788e390497
fix issue #323 auth by suername only if container auth is enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
1749
diff
changeset
|
365 str2bool(config.get('container_auth_enabled', False)): |
1818
cf51bbfb120e
auto white-space removal
Marcin Kuzminski <marcin@python-works.com>
parents:
1808
diff
changeset
|
366 |
1976 | 367 log.debug('Auth User lookup by USER NAME %s' % self.username) |
1621
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
368 dbuser = login_container_auth(self.username) |
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
369 if dbuser is not None: |
2709
d2d35cf2b351
RhodeCode now has a option to explicitly set forking permissions. ref #508
Marcin Kuzminski <marcin@python-works.com>
parents:
2634
diff
changeset
|
370 log.debug('filling all attributes to object') |
1613
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
371 for k, v in dbuser.get_dict().items(): |
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
372 setattr(self, k, v) |
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
373 self.set_authenticated() |
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
374 is_user_loaded = True |
2045
5b12cbae0b50
fixed issue with sessions that lead to redirection loops
Marcin Kuzminski <marcin@python-works.com>
parents:
2030
diff
changeset
|
375 else: |
5b12cbae0b50
fixed issue with sessions that lead to redirection loops
Marcin Kuzminski <marcin@python-works.com>
parents:
2030
diff
changeset
|
376 log.debug('No data in %s that could been used to log in' % self) |
1613
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
377 |
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
378 if not is_user_loaded: |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
379 # if we cannot authenticate user try anonymous |
1613
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
380 if self.anonymous_user.active is True: |
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
381 user_model.fill_data(self, user_id=self.anonymous_user.user_id) |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
382 # then we set this user is logged in |
1613
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
383 self.is_authenticated = True |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
384 else: |
1618
9353189b7675
Added automatic logout of deactivated/deleted users
Liad Shani <liadff@gmail.com>
parents:
1617
diff
changeset
|
385 self.user_id = None |
9353189b7675
Added automatic logout of deactivated/deleted users
Liad Shani <liadff@gmail.com>
parents:
1617
diff
changeset
|
386 self.username = None |
1613
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
387 self.is_authenticated = False |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
388 |
1617
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
389 if not self.username: |
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
390 self.username = 'None' |
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
391 |
1976 | 392 log.debug('Auth User is now %s' % self) |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
393 user_model.fill_perms(self) |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
394 |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
395 @property |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
396 def is_admin(self): |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
397 return self.admin |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
398 |
3146
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
399 @property |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
400 def ip_allowed(self): |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
401 """ |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
402 Checks if ip_addr used in constructor is allowed from defined list of |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
403 allowed ip_addresses for user |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
404 |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
405 :returns: boolean, True if ip is in allowed ip range |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
406 """ |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
407 #check IP |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
408 allowed_ips = AuthUser.get_allowed_ips(self.user_id, cache=True) |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
409 if check_ip_access(source_ip=self.ip_addr, allowed_ips=allowed_ips): |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
410 log.debug('IP:%s is in range of %s' % (self.ip_addr, allowed_ips)) |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
411 return True |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
412 else: |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
413 log.info('Access for IP:%s forbidden, ' |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
414 'not in %s' % (self.ip_addr, allowed_ips)) |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
415 return False |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
416 |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
417 def __repr__(self): |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
418 return "<AuthUser('id:%s:%s|%s')>" % (self.user_id, self.username, |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
419 self.is_authenticated) |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
420 |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
421 def set_authenticated(self, authenticated=True): |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
422 if self.user_id != self.anonymous_user.user_id: |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
423 self.is_authenticated = authenticated |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
424 |
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
425 def get_cookie_store(self): |
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
426 return {'username': self.username, |
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
427 'user_id': self.user_id, |
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
428 'is_authenticated': self.is_authenticated} |
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
429 |
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
430 @classmethod |
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
431 def from_cookie_store(cls, cookie_store): |
2030
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
432 """ |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
433 Creates AuthUser from a cookie store |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
434 |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
435 :param cls: |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
436 :param cookie_store: |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
437 """ |
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
438 user_id = cookie_store.get('user_id') |
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
439 username = cookie_store.get('username') |
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
440 api_key = cookie_store.get('api_key') |
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
441 return AuthUser(user_id, api_key, username) |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
442 |
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
443 @classmethod |
3146
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
444 def get_allowed_ips(cls, user_id, cache=False): |
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
445 _set = set() |
3146
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
446 user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id) |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
447 if cache: |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
448 user_ips = user_ips.options(FromCache("sql_cache_short", |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
449 "get_user_ips_%s" % user_id)) |
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
450 for ip in user_ips: |
3212
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
451 try: |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
452 _set.add(ip.ip_addr) |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
453 except ObjectDeletedError: |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
454 # since we use heavy caching sometimes it happens that we get |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
455 # deleted objects here, we just skip them |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
456 pass |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
457 return _set or set(['0.0.0.0/0', '::/0']) |
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
458 |
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
459 |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
460 def set_available_permissions(config): |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
461 """ |
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
462 This function will propagate pylons globals with all available defined |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
463 permission given in db. We don't want to check each time from db for new |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
464 permissions since adding a new permission also requires application restart |
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
465 ie. to decorate new views with the newly created permission |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
466 |
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
467 :param config: current pylons config instance |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
468 |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
469 """ |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
470 log.info('getting information about all available permissions') |
350
664a5b8c551a
Added application settings, are now customizable from database
Marcin Kuzminski <marcin@python-works.com>
parents:
343
diff
changeset
|
471 try: |
1749
8ecc6b8229a5
commit less models
Marcin Kuzminski <marcin@python-works.com>
parents:
1728
diff
changeset
|
472 sa = meta.Session |
350
664a5b8c551a
Added application settings, are now customizable from database
Marcin Kuzminski <marcin@python-works.com>
parents:
343
diff
changeset
|
473 all_perms = sa.query(Permission).all() |
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
474 except Exception: |
629
7e536d1af60d
Code refactoring,models renames
Marcin Kuzminski <marcin@python-works.com>
parents:
612
diff
changeset
|
475 pass |
350
664a5b8c551a
Added application settings, are now customizable from database
Marcin Kuzminski <marcin@python-works.com>
parents:
343
diff
changeset
|
476 finally: |
664a5b8c551a
Added application settings, are now customizable from database
Marcin Kuzminski <marcin@python-works.com>
parents:
343
diff
changeset
|
477 meta.Session.remove() |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
478 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
479 config['available_permissions'] = [x.permission_name for x in all_perms] |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
480 |
1246 | 481 |
482 #============================================================================== | |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
483 # CHECK DECORATORS |
1246 | 484 #============================================================================== |
190
d8eb7ee27b4c
Added LoginRequired decorator, empty User data container, hash functions
Marcin Kuzminski <marcin@python-works.com>
parents:
96
diff
changeset
|
485 class LoginRequired(object): |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
486 """ |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
487 Must be logged in to execute this function else |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
488 redirect to login page |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
489 |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
490 :param api_access: if enabled this checks only for valid auth token |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
491 and grants access based on valid token |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
492 """ |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
493 |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
494 def __init__(self, api_access=False): |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
495 self.api_access = api_access |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
496 |
190
d8eb7ee27b4c
Added LoginRequired decorator, empty User data container, hash functions
Marcin Kuzminski <marcin@python-works.com>
parents:
96
diff
changeset
|
497 def __call__(self, func): |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
498 return decorator(self.__wrapper, func) |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
499 |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
500 def __wrapper(self, func, *fargs, **fkwargs): |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
501 cls = fargs[0] |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
502 user = cls.rhodecode_user |
3146
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
503 loc = "%s:%s" % (cls.__class__.__name__, func.__name__) |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
504 |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
505 #check IP |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
506 ip_access_ok = True |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
507 if not user.ip_allowed: |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
508 from rhodecode.lib import helpers as h |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
509 h.flash(h.literal(_('IP %s not allowed' % (user.ip_addr))), |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
510 category='warning') |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
511 ip_access_ok = False |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
512 |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
513 api_access_ok = False |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
514 if self.api_access: |
1976 | 515 log.debug('Checking API KEY access for %s' % cls) |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
516 if user.api_key == request.GET.get('api_key'): |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
517 api_access_ok = True |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
518 else: |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
519 log.debug("API KEY token not valid") |
3146
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
520 |
2025
7e979933ffec
more work on improving info logging
Marcin Kuzminski <marcin@python-works.com>
parents:
2000
diff
changeset
|
521 log.debug('Checking if %s is authenticated @ %s' % (user.username, loc)) |
3146
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
522 if (user.is_authenticated or api_access_ok) and ip_access_ok: |
2458
ba49541187d9
Little more verbose logging for auth
Marcin Kuzminski <marcin@python-works.com>
parents:
2278
diff
changeset
|
523 reason = 'RegularAuth' if user.is_authenticated else 'APIAuth' |
ba49541187d9
Little more verbose logging for auth
Marcin Kuzminski <marcin@python-works.com>
parents:
2278
diff
changeset
|
524 log.info('user %s is authenticated and granted access to %s ' |
ba49541187d9
Little more verbose logging for auth
Marcin Kuzminski <marcin@python-works.com>
parents:
2278
diff
changeset
|
525 'using %s' % (user.username, loc, reason) |
2025
7e979933ffec
more work on improving info logging
Marcin Kuzminski <marcin@python-works.com>
parents:
2000
diff
changeset
|
526 ) |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
527 return func(*fargs, **fkwargs) |
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
528 else: |
2025
7e979933ffec
more work on improving info logging
Marcin Kuzminski <marcin@python-works.com>
parents:
2000
diff
changeset
|
529 log.warn('user %s NOT authenticated on func: %s' % ( |
7e979933ffec
more work on improving info logging
Marcin Kuzminski <marcin@python-works.com>
parents:
2000
diff
changeset
|
530 user, loc) |
7e979933ffec
more work on improving info logging
Marcin Kuzminski <marcin@python-works.com>
parents:
2000
diff
changeset
|
531 ) |
1207
e61b7ba293db
changed the way of generating url for came_from
Marcin Kuzminski <marcin@python-works.com>
parents:
1206
diff
changeset
|
532 p = url.current() |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
533 |
1976 | 534 log.debug('redirecting to login page with %s' % p) |
474
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
535 return redirect(url('login_home', came_from=p)) |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
536 |
1246 | 537 |
779
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
538 class NotAnonymous(object): |
1716
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
539 """ |
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
540 Must be logged in to execute this function else |
779
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
541 redirect to login page""" |
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
542 |
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
543 def __call__(self, func): |
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
544 return decorator(self.__wrapper, func) |
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
545 |
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
546 def __wrapper(self, func, *fargs, **fkwargs): |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
547 cls = fargs[0] |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
548 self.user = cls.rhodecode_user |
779
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
549 |
1976 | 550 log.debug('Checking if user is not anonymous @%s' % cls) |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
551 |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
552 anonymous = self.user.username == 'default' |
779
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
553 |
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
554 if anonymous: |
1335
40c8d18102a9
fixed redirection link in notAnonymous decorator
Marcin Kuzminski <marcin@python-works.com>
parents:
1307
diff
changeset
|
555 p = url.current() |
1056
520d27f40b51
#113 removed anonymous access from forking, added system messages in login box.
Marcin Kuzminski <marcin@python-works.com>
parents:
1040
diff
changeset
|
556 |
520d27f40b51
#113 removed anonymous access from forking, added system messages in login box.
Marcin Kuzminski <marcin@python-works.com>
parents:
1040
diff
changeset
|
557 import rhodecode.lib.helpers as h |
1246 | 558 h.flash(_('You need to be a registered user to ' |
559 'perform this action'), | |
1056
520d27f40b51
#113 removed anonymous access from forking, added system messages in login box.
Marcin Kuzminski <marcin@python-works.com>
parents:
1040
diff
changeset
|
560 category='warning') |
779
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
561 return redirect(url('login_home', came_from=p)) |
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
562 else: |
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
563 return func(*fargs, **fkwargs) |
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
564 |
1246 | 565 |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
566 class PermsDecorator(object): |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
567 """Base class for controller decorators""" |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
568 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
569 def __init__(self, *required_perms): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
570 available_perms = config['available_permissions'] |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
571 for perm in required_perms: |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
572 if perm not in available_perms: |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
573 raise Exception("'%s' permission is not defined" % perm) |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
574 self.required_perms = set(required_perms) |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
575 self.user_perms = None |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
576 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
577 def __call__(self, func): |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
578 return decorator(self.__wrapper, func) |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
579 |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
580 def __wrapper(self, func, *fargs, **fkwargs): |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
581 cls = fargs[0] |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
582 self.user = cls.rhodecode_user |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
583 self.user_perms = self.user.permissions |
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
584 log.debug('checking %s permissions %s for %s %s', |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
585 self.__class__.__name__, self.required_perms, cls, self.user) |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
586 |
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
587 if self.check_permissions(): |
1976 | 588 log.debug('Permission granted for %s %s' % (cls, self.user)) |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
589 return func(*fargs, **fkwargs) |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
590 |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
591 else: |
2025
7e979933ffec
more work on improving info logging
Marcin Kuzminski <marcin@python-works.com>
parents:
2000
diff
changeset
|
592 log.debug('Permission denied for %s %s' % (cls, self.user)) |
1336
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
593 anonymous = self.user.username == 'default' |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
594 |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
595 if anonymous: |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
596 p = url.current() |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
597 |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
598 import rhodecode.lib.helpers as h |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
599 h.flash(_('You need to be a signed in to ' |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
600 'view this page'), |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
601 category='warning') |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
602 return redirect(url('login_home', came_from=p)) |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
603 |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
604 else: |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
605 # redirect with forbidden ret code |
1336
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
606 return abort(403) |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
607 |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
608 def check_permissions(self): |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
609 """Dummy function for overriding""" |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
610 raise Exception('You have to write this function in child class') |
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
611 |
1246 | 612 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
613 class HasPermissionAllDecorator(PermsDecorator): |
1716
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
614 """ |
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
615 Checks for access permission for all given predicates. All of them |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
616 have to be meet in order to fulfill the request |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
617 """ |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
618 |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
619 def check_permissions(self): |
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
620 if self.required_perms.issubset(self.user_perms.get('global')): |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
621 return True |
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
622 return False |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
623 |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
624 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
625 class HasPermissionAnyDecorator(PermsDecorator): |
1716
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
626 """ |
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
627 Checks for access permission for any of given predicates. In order to |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
628 fulfill the request any of predicates must be meet |
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
629 """ |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
630 |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
631 def check_permissions(self): |
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
632 if self.required_perms.intersection(self.user_perms.get('global')): |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
633 return True |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
634 return False |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
635 |
1246 | 636 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
637 class HasRepoPermissionAllDecorator(PermsDecorator): |
1716
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
638 """ |
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
639 Checks for access permission for all given predicates for specific |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
640 repository. All of them have to be meet in order to fulfill the request |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
641 """ |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
642 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
643 def check_permissions(self): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
644 repo_name = get_repo_slug(request) |
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
645 try: |
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
646 user_perms = set([self.user_perms['repositories'][repo_name]]) |
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
647 except KeyError: |
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
648 return False |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
649 if self.required_perms.issubset(user_perms): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
650 return True |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
651 return False |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
652 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
653 |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
654 class HasRepoPermissionAnyDecorator(PermsDecorator): |
1716
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
655 """ |
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
656 Checks for access permission for any of given predicates for specific |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
657 repository. In order to fulfill the request any of predicates must be meet |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
658 """ |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
659 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
660 def check_permissions(self): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
661 repo_name = get_repo_slug(request) |
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
662 try: |
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
663 user_perms = set([self.user_perms['repositories'][repo_name]]) |
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
664 except KeyError: |
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
665 return False |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
666 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
667 if self.required_perms.intersection(user_perms): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
668 return True |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
669 return False |
1246 | 670 |
671 | |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
672 class HasReposGroupPermissionAllDecorator(PermsDecorator): |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
673 """ |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
674 Checks for access permission for all given predicates for specific |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
675 repository. All of them have to be meet in order to fulfill the request |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
676 """ |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
677 |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
678 def check_permissions(self): |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
679 group_name = get_repos_group_slug(request) |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
680 try: |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
681 user_perms = set([self.user_perms['repositories_groups'][group_name]]) |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
682 except KeyError: |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
683 return False |
3222
b4daef4cc26d
Group management delegation:
Marcin Kuzminski <marcin@python-works.com>
parents:
3212
diff
changeset
|
684 |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
685 if self.required_perms.issubset(user_perms): |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
686 return True |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
687 return False |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
688 |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
689 |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
690 class HasReposGroupPermissionAnyDecorator(PermsDecorator): |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
691 """ |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
692 Checks for access permission for any of given predicates for specific |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
693 repository. In order to fulfill the request any of predicates must be meet |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
694 """ |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
695 |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
696 def check_permissions(self): |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
697 group_name = get_repos_group_slug(request) |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
698 try: |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
699 user_perms = set([self.user_perms['repositories_groups'][group_name]]) |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
700 except KeyError: |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
701 return False |
3222
b4daef4cc26d
Group management delegation:
Marcin Kuzminski <marcin@python-works.com>
parents:
3212
diff
changeset
|
702 |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
703 if self.required_perms.intersection(user_perms): |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
704 return True |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
705 return False |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
706 |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
707 |
1246 | 708 #============================================================================== |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
709 # CHECK FUNCTIONS |
1246 | 710 #============================================================================== |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
711 class PermsFunction(object): |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
712 """Base function for other check functions""" |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
713 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
714 def __init__(self, *perms): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
715 available_perms = config['available_permissions'] |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
716 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
717 for perm in perms: |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
718 if perm not in available_perms: |
2105
926f55b038bc
added initial rc-extension module
Marcin Kuzminski <marcin@python-works.com>
parents:
2100
diff
changeset
|
719 raise Exception("'%s' permission is not defined" % perm) |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
720 self.required_perms = set(perms) |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
721 self.user_perms = None |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
722 self.repo_name = None |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
723 self.group_name = None |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
724 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
725 def __call__(self, check_Location=''): |
1728
07e56179633e
- fixes celery sqlalchemy session issues for async forking
Marcin Kuzminski <marcin@python-works.com>
parents:
1718
diff
changeset
|
726 user = request.user |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
727 cls_name = self.__class__.__name__ |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
728 check_scope = { |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
729 'HasPermissionAll': '', |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
730 'HasPermissionAny': '', |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
731 'HasRepoPermissionAll': 'repo:%s' % self.repo_name, |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
732 'HasRepoPermissionAny': 'repo:%s' % self.repo_name, |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
733 'HasReposGroupPermissionAll': 'group:%s' % self.group_name, |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
734 'HasReposGroupPermissionAny': 'group:%s' % self.group_name, |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
735 }.get(cls_name, '?') |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
736 log.debug('checking cls:%s %s usr:%s %s @ %s', cls_name, |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
737 self.required_perms, user, check_scope, |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
738 check_Location or 'unspecified location') |
333 | 739 if not user: |
2045
5b12cbae0b50
fixed issue with sessions that lead to redirection loops
Marcin Kuzminski <marcin@python-works.com>
parents:
2030
diff
changeset
|
740 log.debug('Empty request user') |
333 | 741 return False |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
742 self.user_perms = user.permissions |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
743 if self.check_permissions(): |
3137
6c705abed11a
logging: include more info in grant/deny log entries
Mads Kiilerich <madski@unity3d.com>
parents:
3125
diff
changeset
|
744 log.debug('Permission to %s granted for user: %s @ %s', self.repo_name, user, |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
745 check_Location or 'unspecified location') |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
746 return True |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
747 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
748 else: |
3137
6c705abed11a
logging: include more info in grant/deny log entries
Mads Kiilerich <madski@unity3d.com>
parents:
3125
diff
changeset
|
749 log.debug('Permission to %s denied for user: %s @ %s', self.repo_name, user, |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
750 check_Location or 'unspecified location') |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
751 return False |
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
752 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
753 def check_permissions(self): |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
754 """Dummy function for overriding""" |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
755 raise Exception('You have to write this function in child class') |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
756 |
1246 | 757 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
758 class HasPermissionAll(PermsFunction): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
759 def check_permissions(self): |
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
760 if self.required_perms.issubset(self.user_perms.get('global')): |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
761 return True |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
762 return False |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
763 |
1246 | 764 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
765 class HasPermissionAny(PermsFunction): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
766 def check_permissions(self): |
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
767 if self.required_perms.intersection(self.user_perms.get('global')): |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
768 return True |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
769 return False |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
770 |
1246 | 771 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
772 class HasRepoPermissionAll(PermsFunction): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
773 def __call__(self, repo_name=None, check_Location=''): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
774 self.repo_name = repo_name |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
775 return super(HasRepoPermissionAll, self).__call__(check_Location) |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
776 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
777 def check_permissions(self): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
778 if not self.repo_name: |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
779 self.repo_name = get_repo_slug(request) |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
780 |
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
781 try: |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
782 self._user_perms = set( |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
783 [self.user_perms['repositories'][self.repo_name]] |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
784 ) |
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
785 except KeyError: |
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
786 return False |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
787 if self.required_perms.issubset(self._user_perms): |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
788 return True |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
789 return False |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
790 |
1246 | 791 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
792 class HasRepoPermissionAny(PermsFunction): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
793 def __call__(self, repo_name=None, check_Location=''): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
794 self.repo_name = repo_name |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
795 return super(HasRepoPermissionAny, self).__call__(check_Location) |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
796 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
797 def check_permissions(self): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
798 if not self.repo_name: |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
799 self.repo_name = get_repo_slug(request) |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
800 |
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
801 try: |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
802 self._user_perms = set( |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
803 [self.user_perms['repositories'][self.repo_name]] |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
804 ) |
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
805 except KeyError: |
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
806 return False |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
807 if self.required_perms.intersection(self._user_perms): |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
808 return True |
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
809 return False |
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
810 |
1246 | 811 |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
812 class HasReposGroupPermissionAny(PermsFunction): |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
813 def __call__(self, group_name=None, check_Location=''): |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
814 self.group_name = group_name |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
815 return super(HasReposGroupPermissionAny, self).__call__(check_Location) |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
816 |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
817 def check_permissions(self): |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
818 try: |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
819 self._user_perms = set( |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
820 [self.user_perms['repositories_groups'][self.group_name]] |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
821 ) |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
822 except KeyError: |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
823 return False |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
824 if self.required_perms.intersection(self._user_perms): |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
825 return True |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
826 return False |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
827 |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
828 |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
829 class HasReposGroupPermissionAll(PermsFunction): |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
830 def __call__(self, group_name=None, check_Location=''): |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
831 self.group_name = group_name |
2634
4b17216f2110
Deprecated validation of operating system, we just care if it's windows, let approve all other
Marcin Kuzminski <marcin@python-works.com>
parents:
2479
diff
changeset
|
832 return super(HasReposGroupPermissionAll, self).__call__(check_Location) |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
833 |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
834 def check_permissions(self): |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
835 try: |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
836 self._user_perms = set( |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
837 [self.user_perms['repositories_groups'][self.group_name]] |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
838 ) |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
839 except KeyError: |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
840 return False |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
841 if self.required_perms.issubset(self._user_perms): |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
842 return True |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
843 return False |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
844 |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
845 |
1246 | 846 #============================================================================== |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
847 # SPECIAL VERSION TO HANDLE MIDDLEWARE AUTH |
1246 | 848 #============================================================================== |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
849 class HasPermissionAnyMiddleware(object): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
850 def __init__(self, *perms): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
851 self.required_perms = set(perms) |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
852 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
853 def __call__(self, user, repo_name): |
2100
f0649c7cf94a
fixed some unicode problems with waitress
Marcin Kuzminski <marcin@python-works.com>
parents:
2045
diff
changeset
|
854 # repo_name MUST be unicode, since we handle keys in permission |
f0649c7cf94a
fixed some unicode problems with waitress
Marcin Kuzminski <marcin@python-works.com>
parents:
2045
diff
changeset
|
855 # dict by unicode |
f0649c7cf94a
fixed some unicode problems with waitress
Marcin Kuzminski <marcin@python-works.com>
parents:
2045
diff
changeset
|
856 repo_name = safe_unicode(repo_name) |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
857 usr = AuthUser(user.user_id) |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
858 try: |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
859 self.user_perms = set([usr.permissions['repositories'][repo_name]]) |
2100
f0649c7cf94a
fixed some unicode problems with waitress
Marcin Kuzminski <marcin@python-works.com>
parents:
2045
diff
changeset
|
860 except Exception: |
2109 | 861 log.error('Exception while accessing permissions %s' % |
2100
f0649c7cf94a
fixed some unicode problems with waitress
Marcin Kuzminski <marcin@python-works.com>
parents:
2045
diff
changeset
|
862 traceback.format_exc()) |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
863 self.user_perms = set() |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
864 self.username = user.username |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
865 self.repo_name = repo_name |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
866 return self.check_permissions() |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
867 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
868 def check_permissions(self): |
2726
aa17c7a1b8a5
Implemented basic locking functionality.
Marcin Kuzminski <marcin@python-works.com>
parents:
2714
diff
changeset
|
869 log.debug('checking VCS protocol ' |
1040
8e49b6ceffe1
fixes fixes fixes ! optimized queries on journal
Marcin Kuzminski <marcin@python-works.com>
parents:
1036
diff
changeset
|
870 'permissions %s for user:%s repository:%s', self.user_perms, |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
871 self.username, self.repo_name) |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
872 if self.required_perms.intersection(self.user_perms): |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
873 log.debug('permission granted for user:%s on repo:%s' % ( |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
874 self.username, self.repo_name |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
875 ) |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
876 ) |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
877 return True |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
878 log.debug('permission denied for user:%s on repo:%s' % ( |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
879 self.username, self.repo_name |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
880 ) |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
881 ) |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
882 return False |
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
883 |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
884 |
3161
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
885 #============================================================================== |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
886 # SPECIAL VERSION TO HANDLE API AUTH |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
887 #============================================================================== |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
888 class _BaseApiPerm(object): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
889 def __init__(self, *perms): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
890 self.required_perms = set(perms) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
891 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
892 def __call__(self, check_location='unspecified', user=None, repo_name=None): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
893 cls_name = self.__class__.__name__ |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
894 check_scope = 'user:%s, repo:%s' % (user, repo_name) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
895 log.debug('checking cls:%s %s %s @ %s', cls_name, |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
896 self.required_perms, check_scope, check_location) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
897 if not user: |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
898 log.debug('Empty User passed into arguments') |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
899 return False |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
900 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
901 ## process user |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
902 if not isinstance(user, AuthUser): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
903 user = AuthUser(user.user_id) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
904 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
905 if self.check_permissions(user.permissions, repo_name): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
906 log.debug('Permission to %s granted for user: %s @ %s', repo_name, |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
907 user, check_location) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
908 return True |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
909 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
910 else: |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
911 log.debug('Permission to %s denied for user: %s @ %s', repo_name, |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
912 user, check_location) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
913 return False |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
914 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
915 def check_permissions(self, perm_defs, repo_name): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
916 """ |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
917 implement in child class should return True if permissions are ok, |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
918 False otherwise |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
919 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
920 :param perm_defs: dict with permission definitions |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
921 :param repo_name: repo name |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
922 """ |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
923 raise NotImplementedError() |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
924 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
925 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
926 class HasPermissionAllApi(_BaseApiPerm): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
927 def __call__(self, user, check_location=''): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
928 return super(HasPermissionAllApi, self)\ |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
929 .__call__(check_location=check_location, user=user) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
930 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
931 def check_permissions(self, perm_defs, repo): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
932 if self.required_perms.issubset(perm_defs.get('global')): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
933 return True |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
934 return False |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
935 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
936 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
937 class HasPermissionAnyApi(_BaseApiPerm): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
938 def __call__(self, user, check_location=''): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
939 return super(HasPermissionAnyApi, self)\ |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
940 .__call__(check_location=check_location, user=user) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
941 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
942 def check_permissions(self, perm_defs, repo): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
943 if self.required_perms.intersection(perm_defs.get('global')): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
944 return True |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
945 return False |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
946 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
947 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
948 class HasRepoPermissionAllApi(_BaseApiPerm): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
949 def __call__(self, user, repo_name, check_location=''): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
950 return super(HasRepoPermissionAllApi, self)\ |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
951 .__call__(check_location=check_location, user=user, |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
952 repo_name=repo_name) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
953 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
954 def check_permissions(self, perm_defs, repo_name): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
955 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
956 try: |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
957 self._user_perms = set( |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
958 [perm_defs['repositories'][repo_name]] |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
959 ) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
960 except KeyError: |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
961 log.warning(traceback.format_exc()) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
962 return False |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
963 if self.required_perms.issubset(self._user_perms): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
964 return True |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
965 return False |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
966 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
967 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
968 class HasRepoPermissionAnyApi(_BaseApiPerm): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
969 def __call__(self, user, repo_name, check_location=''): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
970 return super(HasRepoPermissionAnyApi, self)\ |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
971 .__call__(check_location=check_location, user=user, |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
972 repo_name=repo_name) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
973 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
974 def check_permissions(self, perm_defs, repo_name): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
975 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
976 try: |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
977 _user_perms = set( |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
978 [perm_defs['repositories'][repo_name]] |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
979 ) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
980 except KeyError: |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
981 log.warning(traceback.format_exc()) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
982 return False |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
983 if self.required_perms.intersection(_user_perms): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
984 return True |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
985 return False |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
986 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
987 |
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
988 def check_ip_access(source_ip, allowed_ips=None): |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
989 """ |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
990 Checks if source_ip is a subnet of any of allowed_ips. |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
991 |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
992 :param source_ip: |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
993 :param allowed_ips: list of allowed ips together with mask |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
994 """ |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
995 from rhodecode.lib import ipaddr |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
996 log.debug('checking if ip:%s is subnet of %s' % (source_ip, allowed_ips)) |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
997 if isinstance(allowed_ips, (tuple, list, set)): |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
998 for ip in allowed_ips: |
3212
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
999 try: |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1000 if ipaddr.IPAddress(source_ip) in ipaddr.IPNetwork(ip): |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1001 return True |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1002 # for any case we cannot determine the IP, don't crash just |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1003 # skip it and log as error, we want to say forbidden still when |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1004 # sending bad IP |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1005 except Exception: |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1006 log.error(traceback.format_exc()) |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1007 continue |
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1008 return False |