Mercurial > kallithea
annotate rhodecode/lib/auth.py @ 3376:e67b2ef07a8e beta
git executable is now configurable via .ini files
author | Marcin Kuzminski <marcin@python-works.com> |
---|---|
date | Sun, 17 Feb 2013 22:58:09 +0100 |
parents | 199fd214b213 |
children | b8f929bff7e3 |
rev | line source |
---|---|
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
1 # -*- coding: utf-8 -*- |
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
2 """ |
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
3 rhodecode.lib.auth |
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
4 ~~~~~~~~~~~~~~~~~~ |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
5 |
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
6 authentication and permission libraries |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
7 |
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
8 :created_on: Apr 4, 2010 |
1824
89efedac4e6c
2012 copyrights
Marcin Kuzminski <marcin@python-works.com>
parents:
1818
diff
changeset
|
9 :author: marcink |
89efedac4e6c
2012 copyrights
Marcin Kuzminski <marcin@python-works.com>
parents:
1818
diff
changeset
|
10 :copyright: (C) 2010-2012 Marcin Kuzminski <marcin@python-works.com> |
1532
2afe9320d5e6
updated docstrings
Marcin Kuzminski <marcin@python-works.com>
parents:
1530
diff
changeset
|
11 :license: GPLv3, see COPYING for more details. |
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
12 """ |
1206
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
13 # This program is free software: you can redistribute it and/or modify |
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
14 # it under the terms of the GNU General Public License as published by |
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
15 # the Free Software Foundation, either version 3 of the License, or |
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
16 # (at your option) any later version. |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
17 # |
252
3782a6d698af
licensing updates, code cleanups
Marcin Kuzminski <marcin@python-works.com>
parents:
239
diff
changeset
|
18 # This program is distributed in the hope that it will be useful, |
3782a6d698af
licensing updates, code cleanups
Marcin Kuzminski <marcin@python-works.com>
parents:
239
diff
changeset
|
19 # but WITHOUT ANY WARRANTY; without even the implied warranty of |
3782a6d698af
licensing updates, code cleanups
Marcin Kuzminski <marcin@python-works.com>
parents:
239
diff
changeset
|
20 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
3782a6d698af
licensing updates, code cleanups
Marcin Kuzminski <marcin@python-works.com>
parents:
239
diff
changeset
|
21 # GNU General Public License for more details. |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
22 # |
252
3782a6d698af
licensing updates, code cleanups
Marcin Kuzminski <marcin@python-works.com>
parents:
239
diff
changeset
|
23 # You should have received a copy of the GNU General Public License |
1206
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
24 # along with this program. If not, see <http://www.gnu.org/licenses/>. |
381
55377fdc1fc6
cleared global application settings.
Marcin Kuzminski <marcin@python-works.com>
parents:
380
diff
changeset
|
25 |
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
26 import random |
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
27 import logging |
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
28 import traceback |
1116
716911af91e1
Added api_key into user, api key get's generated again after password change
Marcin Kuzminski <marcin@python-works.com>
parents:
1056
diff
changeset
|
29 import hashlib |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
30 |
1116
716911af91e1
Added api_key into user, api key get's generated again after password change
Marcin Kuzminski <marcin@python-works.com>
parents:
1056
diff
changeset
|
31 from tempfile import _RandomNameSequence |
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
32 from decorator import decorator |
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
33 |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
34 from pylons import config, url, request |
52 | 35 from pylons.controllers.util import abort, redirect |
1056
520d27f40b51
#113 removed anonymous access from forking, added system messages in login box.
Marcin Kuzminski <marcin@python-works.com>
parents:
1040
diff
changeset
|
36 from pylons.i18n.translation import _ |
3212
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
37 from sqlalchemy.orm.exc import ObjectDeletedError |
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
38 |
2634
4b17216f2110
Deprecated validation of operating system, we just care if it's windows, let approve all other
Marcin Kuzminski <marcin@python-works.com>
parents:
2479
diff
changeset
|
39 from rhodecode import __platform__, is_windows, is_unix |
1749
8ecc6b8229a5
commit less models
Marcin Kuzminski <marcin@python-works.com>
parents:
1728
diff
changeset
|
40 from rhodecode.model.meta import Session |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
41 |
2109 | 42 from rhodecode.lib.utils2 import str2bool, safe_unicode |
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
43 from rhodecode.lib.exceptions import LdapPasswordError, LdapUsernameError |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
44 from rhodecode.lib.utils import get_repo_slug, get_repos_group_slug |
713
1bb0fcdec895
fixed #72 show warning on removal when user still is owner of existing repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
705
diff
changeset
|
45 from rhodecode.lib.auth_ldap import AuthLdap |
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
46 |
547
1e757ac98988
renamed project to rhodecode
Marcin Kuzminski <marcin@python-works.com>
parents:
508
diff
changeset
|
47 from rhodecode.model import meta |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
48 from rhodecode.model.user import UserModel |
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
49 from rhodecode.model.db import Permission, RhodeCodeSetting, User, UserIpMap |
3146
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
50 from rhodecode.lib.caching_query import FromCache |
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
51 |
1246 | 52 log = logging.getLogger(__name__) |
343
6484963056cd
implemented cache for repeated queries in simplehg mercurial requests
Marcin Kuzminski <marcin@python-works.com>
parents:
339
diff
changeset
|
53 |
41
71ffa932799d
Added app basic auth.
Marcin Kuzminski <marcin@python-blog.com>
parents:
diff
changeset
|
54 |
474
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
55 class PasswordGenerator(object): |
1716
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
56 """ |
1818
cf51bbfb120e
auto white-space removal
Marcin Kuzminski <marcin@python-works.com>
parents:
1808
diff
changeset
|
57 This is a simple class for generating password from different sets of |
1716
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
58 characters |
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
59 usage:: |
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
60 |
474
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
61 passwd_gen = PasswordGenerator() |
1246 | 62 #print 8-letter password containing only big and small letters |
63 of alphabet | |
2278
24095abde696
print statement cleanup
Marcin Kuzminski <marcin@python-works.com>
parents:
2125
diff
changeset
|
64 passwd_gen.gen_password(8, passwd_gen.ALPHABETS_BIG_SMALL) |
474
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
65 """ |
1246 | 66 ALPHABETS_NUM = r'''1234567890''' |
67 ALPHABETS_SMALL = r'''qwertyuiopasdfghjklzxcvbnm''' | |
68 ALPHABETS_BIG = r'''QWERTYUIOPASDFGHJKLZXCVBNM''' | |
69 ALPHABETS_SPECIAL = r'''`-=[]\;',./~!@#$%^&*()_+{}|:"<>?''' | |
70 ALPHABETS_FULL = ALPHABETS_BIG + ALPHABETS_SMALL \ | |
71 + ALPHABETS_NUM + ALPHABETS_SPECIAL | |
72 ALPHABETS_ALPHANUM = ALPHABETS_BIG + ALPHABETS_SMALL + ALPHABETS_NUM | |
474
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
73 ALPHABETS_BIG_SMALL = ALPHABETS_BIG + ALPHABETS_SMALL |
1246 | 74 ALPHABETS_ALPHANUM_BIG = ALPHABETS_BIG + ALPHABETS_NUM |
75 ALPHABETS_ALPHANUM_SMALL = ALPHABETS_SMALL + ALPHABETS_NUM | |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
76 |
474
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
77 def __init__(self, passwd=''): |
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
78 self.passwd = passwd |
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
79 |
1993
4d3179d2adfe
added optional password type in password generator
Marcin Kuzminski <marcin@python-works.com>
parents:
1992
diff
changeset
|
80 def gen_password(self, length, type_=None): |
4d3179d2adfe
added optional password type in password generator
Marcin Kuzminski <marcin@python-works.com>
parents:
1992
diff
changeset
|
81 if type_ is None: |
4d3179d2adfe
added optional password type in password generator
Marcin Kuzminski <marcin@python-works.com>
parents:
1992
diff
changeset
|
82 type_ = self.ALPHABETS_FULL |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
83 self.passwd = ''.join([random.choice(type_) for _ in xrange(length)]) |
474
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
84 return self.passwd |
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
85 |
1246 | 86 |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
87 class RhodeCodeCrypto(object): |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
88 |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
89 @classmethod |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
90 def hash_string(cls, str_): |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
91 """ |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
92 Cryptographic function used for password hashing based on pybcrypt |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
93 or pycrypto in windows |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
94 |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
95 :param password: password to hash |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
96 """ |
2634
4b17216f2110
Deprecated validation of operating system, we just care if it's windows, let approve all other
Marcin Kuzminski <marcin@python-works.com>
parents:
2479
diff
changeset
|
97 if is_windows: |
2479
9225597688f4
Added validation into user email map
Marcin Kuzminski <marcin@python-works.com>
parents:
2458
diff
changeset
|
98 from hashlib import sha256 |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
99 return sha256(str_).hexdigest() |
2634
4b17216f2110
Deprecated validation of operating system, we just care if it's windows, let approve all other
Marcin Kuzminski <marcin@python-works.com>
parents:
2479
diff
changeset
|
100 elif is_unix: |
2479
9225597688f4
Added validation into user email map
Marcin Kuzminski <marcin@python-works.com>
parents:
2458
diff
changeset
|
101 import bcrypt |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
102 return bcrypt.hashpw(str_, bcrypt.gensalt(10)) |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
103 else: |
1246 | 104 raise Exception('Unknown or unsupported platform %s' \ |
105 % __platform__) | |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
106 |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
107 @classmethod |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
108 def hash_check(cls, password, hashed): |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
109 """ |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
110 Checks matching password with it's hashed value, runs different |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
111 implementation based on platform it runs on |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
112 |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
113 :param password: password |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
114 :param hashed: password in hashed form |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
115 """ |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
116 |
2634
4b17216f2110
Deprecated validation of operating system, we just care if it's windows, let approve all other
Marcin Kuzminski <marcin@python-works.com>
parents:
2479
diff
changeset
|
117 if is_windows: |
2479
9225597688f4
Added validation into user email map
Marcin Kuzminski <marcin@python-works.com>
parents:
2458
diff
changeset
|
118 from hashlib import sha256 |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
119 return sha256(password).hexdigest() == hashed |
2634
4b17216f2110
Deprecated validation of operating system, we just care if it's windows, let approve all other
Marcin Kuzminski <marcin@python-works.com>
parents:
2479
diff
changeset
|
120 elif is_unix: |
2479
9225597688f4
Added validation into user email map
Marcin Kuzminski <marcin@python-works.com>
parents:
2458
diff
changeset
|
121 import bcrypt |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
122 return bcrypt.hashpw(password, hashed) == hashed |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
123 else: |
1246 | 124 raise Exception('Unknown or unsupported platform %s' \ |
125 % __platform__) | |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
126 |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
127 |
64
08707974eae4
Changed auth lib for sqlalchemy
Marcin Kuzminski <marcin@python-blog.com>
parents:
52
diff
changeset
|
128 def get_crypt_password(password): |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
129 return RhodeCodeCrypto.hash_string(password) |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
130 |
1246 | 131 |
1118
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
132 def check_password(password, hashed): |
b0e2c949c34b
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"
Marcin Kuzminski <marcin@python-works.com>
parents:
1117
diff
changeset
|
133 return RhodeCodeCrypto.hash_check(password, hashed) |
415
04e8b31fb245
Changed password crypting scheme to bcrypt, added dependency for setup
Marcin Kuzminski <marcin@python-works.com>
parents:
412
diff
changeset
|
134 |
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
135 |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
136 def generate_api_key(str_, salt=None): |
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
137 """ |
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
138 Generates API KEY from given string |
1818
cf51bbfb120e
auto white-space removal
Marcin Kuzminski <marcin@python-works.com>
parents:
1808
diff
changeset
|
139 |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
140 :param str_: |
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
141 :param salt: |
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
142 """ |
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
143 |
1116
716911af91e1
Added api_key into user, api key get's generated again after password change
Marcin Kuzminski <marcin@python-works.com>
parents:
1056
diff
changeset
|
144 if salt is None: |
716911af91e1
Added api_key into user, api key get's generated again after password change
Marcin Kuzminski <marcin@python-works.com>
parents:
1056
diff
changeset
|
145 salt = _RandomNameSequence().next() |
716911af91e1
Added api_key into user, api key get's generated again after password change
Marcin Kuzminski <marcin@python-works.com>
parents:
1056
diff
changeset
|
146 |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
147 return hashlib.sha1(str_ + salt).hexdigest() |
1116
716911af91e1
Added api_key into user, api key get's generated again after password change
Marcin Kuzminski <marcin@python-works.com>
parents:
1056
diff
changeset
|
148 |
1246 | 149 |
41
71ffa932799d
Added app basic auth.
Marcin Kuzminski <marcin@python-blog.com>
parents:
diff
changeset
|
150 def authfunc(environ, username, password): |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
151 """ |
1818
cf51bbfb120e
auto white-space removal
Marcin Kuzminski <marcin@python-works.com>
parents:
1808
diff
changeset
|
152 Dummy authentication wrapper function used in Mercurial and Git for |
1644 | 153 access control. |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
154 |
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
155 :param environ: needed only for using in Basic auth |
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
156 """ |
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
157 return authenticate(username, password) |
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
158 |
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
159 |
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
160 def authenticate(username, password): |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
161 """ |
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
162 Authentication function used for access control, |
699
52da7cba88a6
Code refactor for auth func, preparing for ldap support
Marcin Kuzminski <marcin@python-works.com>
parents:
692
diff
changeset
|
163 firstly checks for db authentication then if ldap is enabled for ldap |
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
164 authentication, also creates ldap user if not in database |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
165 |
699
52da7cba88a6
Code refactor for auth func, preparing for ldap support
Marcin Kuzminski <marcin@python-works.com>
parents:
692
diff
changeset
|
166 :param username: username |
52da7cba88a6
Code refactor for auth func, preparing for ldap support
Marcin Kuzminski <marcin@python-works.com>
parents:
692
diff
changeset
|
167 :param password: password |
52da7cba88a6
Code refactor for auth func, preparing for ldap support
Marcin Kuzminski <marcin@python-works.com>
parents:
692
diff
changeset
|
168 """ |
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
169 |
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
170 user_model = UserModel() |
1530
04027bdb876c
Refactoring of model get functions
Marcin Kuzminski <marcin@python-works.com>
parents:
1425
diff
changeset
|
171 user = User.get_by_username(username) |
699
52da7cba88a6
Code refactor for auth func, preparing for ldap support
Marcin Kuzminski <marcin@python-works.com>
parents:
692
diff
changeset
|
172 |
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
173 log.debug('Authenticating user using RhodeCode account') |
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
895
diff
changeset
|
174 if user is not None and not user.ldap_dn: |
64
08707974eae4
Changed auth lib for sqlalchemy
Marcin Kuzminski <marcin@python-blog.com>
parents:
52
diff
changeset
|
175 if user.active: |
674
99875a8f2ad1
#49 Enabled anonymous access push and pull commands
Marcin Kuzminski <marcin@python-works.com>
parents:
673
diff
changeset
|
176 if user.username == 'default' and user.active: |
2025
7e979933ffec
more work on improving info logging
Marcin Kuzminski <marcin@python-works.com>
parents:
2000
diff
changeset
|
177 log.info('user %s authenticated correctly as anonymous user' % |
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
178 username) |
674
99875a8f2ad1
#49 Enabled anonymous access push and pull commands
Marcin Kuzminski <marcin@python-works.com>
parents:
673
diff
changeset
|
179 return True |
99875a8f2ad1
#49 Enabled anonymous access push and pull commands
Marcin Kuzminski <marcin@python-works.com>
parents:
673
diff
changeset
|
180 |
1246 | 181 elif user.username == username and check_password(password, |
182 user.password): | |
1976 | 183 log.info('user %s authenticated correctly' % username) |
41
71ffa932799d
Added app basic auth.
Marcin Kuzminski <marcin@python-blog.com>
parents:
diff
changeset
|
184 return True |
71ffa932799d
Added app basic auth.
Marcin Kuzminski <marcin@python-blog.com>
parents:
diff
changeset
|
185 else: |
2025
7e979933ffec
more work on improving info logging
Marcin Kuzminski <marcin@python-works.com>
parents:
2000
diff
changeset
|
186 log.warning('user %s tried auth but is disabled' % username) |
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
187 |
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
188 else: |
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
189 log.debug('Regular authentication failed') |
1530
04027bdb876c
Refactoring of model get functions
Marcin Kuzminski <marcin@python-works.com>
parents:
1425
diff
changeset
|
190 user_obj = User.get_by_username(username, case_insensitive=True) |
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
191 |
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
895
diff
changeset
|
192 if user_obj is not None and not user_obj.ldap_dn: |
749
fcd4fb51526e
added debug message for ldap auth
Marcin Kuzminski <marcin@python-works.com>
parents:
748
diff
changeset
|
193 log.debug('this user already exists as non ldap') |
748
88338675a0f7
fixed ldap issue and small template fix
Marcin Kuzminski <marcin@python-works.com>
parents:
742
diff
changeset
|
194 return False |
88338675a0f7
fixed ldap issue and small template fix
Marcin Kuzminski <marcin@python-works.com>
parents:
742
diff
changeset
|
195 |
1633
2c0d35e336b5
refactoring of models names for repoGroup permissions
Marcin Kuzminski <marcin@python-works.com>
parents:
1630
diff
changeset
|
196 ldap_settings = RhodeCodeSetting.get_ldap_settings() |
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
197 #====================================================================== |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
198 # FALLBACK TO LDAP AUTH IF ENABLE |
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
199 #====================================================================== |
1135
1aa1655bf019
fixed some config bool converter problems with ldap
Marcin Kuzminski <marcin@python-works.com>
parents:
1122
diff
changeset
|
200 if str2bool(ldap_settings.get('ldap_active')): |
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
201 log.debug("Authenticating user using ldap") |
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
202 kwargs = { |
1246 | 203 'server': ldap_settings.get('ldap_host', ''), |
204 'base_dn': ldap_settings.get('ldap_base_dn', ''), | |
205 'port': ldap_settings.get('ldap_port'), | |
206 'bind_dn': ldap_settings.get('ldap_dn_user'), | |
207 'bind_pass': ldap_settings.get('ldap_dn_pass'), | |
1290
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1288
diff
changeset
|
208 'tls_kind': ldap_settings.get('ldap_tls_kind'), |
1246 | 209 'tls_reqcert': ldap_settings.get('ldap_tls_reqcert'), |
210 'ldap_filter': ldap_settings.get('ldap_filter'), | |
211 'search_scope': ldap_settings.get('ldap_search_scope'), | |
212 'attr_login': ldap_settings.get('ldap_attr_login'), | |
213 'ldap_version': 3, | |
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
214 } |
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
215 log.debug('Checking for ldap authentication') |
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
216 try: |
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
217 aldap = AuthLdap(**kwargs) |
1246 | 218 (user_dn, ldap_attrs) = aldap.authenticate_ldap(username, |
219 password) | |
1976 | 220 log.debug('Got ldap DN response %s' % user_dn) |
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
221 |
1307 | 222 get_ldap_attr = lambda k: ldap_attrs.get(ldap_settings\ |
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
223 .get(k), [''])[0] |
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
224 |
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
895
diff
changeset
|
225 user_attrs = { |
1425
3dedf3991d40
fixes #173, many thanks for slestak for contributing into this one.
Marcin Kuzminski <marcin@python-works.com>
parents:
1336
diff
changeset
|
226 'name': safe_unicode(get_ldap_attr('ldap_attr_firstname')), |
3dedf3991d40
fixes #173, many thanks for slestak for contributing into this one.
Marcin Kuzminski <marcin@python-works.com>
parents:
1336
diff
changeset
|
227 'lastname': safe_unicode(get_ldap_attr('ldap_attr_lastname')), |
3dedf3991d40
fixes #173, many thanks for slestak for contributing into this one.
Marcin Kuzminski <marcin@python-works.com>
parents:
1336
diff
changeset
|
228 'email': get_ldap_attr('ldap_attr_email'), |
3370
fdb0f59b2189
fixes #762, LDAP and container created users are now activated based on
Marcin Kuzminski <marcin@python-works.com>
parents:
3313
diff
changeset
|
229 'active': 'hg.register.auto_activate' in User\ |
fdb0f59b2189
fixes #762, LDAP and container created users are now activated based on
Marcin Kuzminski <marcin@python-works.com>
parents:
3313
diff
changeset
|
230 .get_by_username('default').AuthUser.permissions['global'] |
1425
3dedf3991d40
fixes #173, many thanks for slestak for contributing into this one.
Marcin Kuzminski <marcin@python-works.com>
parents:
1336
diff
changeset
|
231 } |
2000
72c525a7e7ad
added migrations from 1.2.X to 1.3
Marcin Kuzminski <marcin@python-works.com>
parents:
1993
diff
changeset
|
232 |
72c525a7e7ad
added migrations from 1.2.X to 1.3
Marcin Kuzminski <marcin@python-works.com>
parents:
1993
diff
changeset
|
233 # don't store LDAP password since we don't need it. Override |
1992
335b55caa81d
#355 replaced stored LDAP password with some random generated one
Marcin Kuzminski <marcin@python-works.com>
parents:
1982
diff
changeset
|
234 # with some random generated password |
335b55caa81d
#355 replaced stored LDAP password with some random generated one
Marcin Kuzminski <marcin@python-works.com>
parents:
1982
diff
changeset
|
235 _password = PasswordGenerator().gen_password(length=8) |
335b55caa81d
#355 replaced stored LDAP password with some random generated one
Marcin Kuzminski <marcin@python-works.com>
parents:
1982
diff
changeset
|
236 # create this user on the fly if it doesn't exist in rhodecode |
335b55caa81d
#355 replaced stored LDAP password with some random generated one
Marcin Kuzminski <marcin@python-works.com>
parents:
1982
diff
changeset
|
237 # database |
335b55caa81d
#355 replaced stored LDAP password with some random generated one
Marcin Kuzminski <marcin@python-works.com>
parents:
1982
diff
changeset
|
238 if user_model.create_ldap(username, _password, user_dn, |
1246 | 239 user_attrs): |
1976 | 240 log.info('created new ldap user %s' % username) |
1818
cf51bbfb120e
auto white-space removal
Marcin Kuzminski <marcin@python-works.com>
parents:
1808
diff
changeset
|
241 |
2634
4b17216f2110
Deprecated validation of operating system, we just care if it's windows, let approve all other
Marcin Kuzminski <marcin@python-works.com>
parents:
2479
diff
changeset
|
242 Session().commit() |
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
243 return True |
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
244 except (LdapUsernameError, LdapPasswordError,): |
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
245 pass |
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
246 except (Exception,): |
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
699
diff
changeset
|
247 log.error(traceback.format_exc()) |
761
56c2850a5b5f
ldap auth rewrite, moved split authfunc into two functions,
Marcin Kuzminski <marcin@python-works.com>
parents:
749
diff
changeset
|
248 pass |
41
71ffa932799d
Added app basic auth.
Marcin Kuzminski <marcin@python-blog.com>
parents:
diff
changeset
|
249 return False |
71ffa932799d
Added app basic auth.
Marcin Kuzminski <marcin@python-blog.com>
parents:
diff
changeset
|
250 |
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
251 |
1621
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
252 def login_container_auth(username): |
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
253 user = User.get_by_username(username) |
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
254 if user is None: |
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
255 user_attrs = { |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
256 'name': username, |
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
257 'lastname': None, |
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
258 'email': None, |
3370
fdb0f59b2189
fixes #762, LDAP and container created users are now activated based on
Marcin Kuzminski <marcin@python-works.com>
parents:
3313
diff
changeset
|
259 'active': 'hg.register.auto_activate' in User\ |
fdb0f59b2189
fixes #762, LDAP and container created users are now activated based on
Marcin Kuzminski <marcin@python-works.com>
parents:
3313
diff
changeset
|
260 .get_by_username('default').AuthUser.permissions['global'] |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
261 } |
1749
8ecc6b8229a5
commit less models
Marcin Kuzminski <marcin@python-works.com>
parents:
1728
diff
changeset
|
262 user = UserModel().create_for_container_auth(username, user_attrs) |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
263 if not user: |
1621
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
264 return None |
1976 | 265 log.info('User %s was created by container authentication' % username) |
1621
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
266 |
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
267 if not user.active: |
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
268 return None |
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
269 |
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
270 user.update_lastlogin() |
2634
4b17216f2110
Deprecated validation of operating system, we just care if it's windows, let approve all other
Marcin Kuzminski <marcin@python-works.com>
parents:
2479
diff
changeset
|
271 Session().commit() |
1818
cf51bbfb120e
auto white-space removal
Marcin Kuzminski <marcin@python-works.com>
parents:
1808
diff
changeset
|
272 |
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
273 log.debug('User %s is now logged in by container authentication', |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
274 user.username) |
1621
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
275 return user |
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
276 |
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
277 |
3173
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
278 def get_container_username(environ, config, clean_username=False): |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
279 """ |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
280 Get's the container_auth username (or email). It tries to get username |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
281 from REMOTE_USER if container_auth_enabled is enabled, if that fails |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
282 it tries to get username from HTTP_X_FORWARDED_USER if proxypass_auth_enabled |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
283 is enabled. clean_username extracts the username from this data if it's |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
284 having @ in it. |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
285 |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
286 :param environ: |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
287 :param config: |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
288 :param clean_username: |
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
289 """ |
1630
25d8e4836bc2
Improved container-based auth support for middleware
Liad Shani <liadff@gmail.com>
parents:
1628
diff
changeset
|
290 username = None |
1621
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
291 |
1630
25d8e4836bc2
Improved container-based auth support for middleware
Liad Shani <liadff@gmail.com>
parents:
1628
diff
changeset
|
292 if str2bool(config.get('container_auth_enabled', False)): |
25d8e4836bc2
Improved container-based auth support for middleware
Liad Shani <liadff@gmail.com>
parents:
1628
diff
changeset
|
293 from paste.httpheaders import REMOTE_USER |
25d8e4836bc2
Improved container-based auth support for middleware
Liad Shani <liadff@gmail.com>
parents:
1628
diff
changeset
|
294 username = REMOTE_USER(environ) |
3172
264d9c930c17
added some more logging into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3161
diff
changeset
|
295 log.debug('extracted REMOTE_USER:%s' % (username)) |
1630
25d8e4836bc2
Improved container-based auth support for middleware
Liad Shani <liadff@gmail.com>
parents:
1628
diff
changeset
|
296 |
25d8e4836bc2
Improved container-based auth support for middleware
Liad Shani <liadff@gmail.com>
parents:
1628
diff
changeset
|
297 if not username and str2bool(config.get('proxypass_auth_enabled', False)): |
1617
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
298 username = environ.get('HTTP_X_FORWARDED_USER') |
3172
264d9c930c17
added some more logging into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3161
diff
changeset
|
299 log.debug('extracted HTTP_X_FORWARDED_USER:%s' % (username)) |
1617
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
300 |
3173
db0871d942b6
adde cleanup username flag into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3172
diff
changeset
|
301 if username and clean_username: |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
302 # Removing realm and domain from username |
1617
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
303 username = username.partition('@')[0] |
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
304 username = username.rpartition('\\')[2] |
3172
264d9c930c17
added some more logging into get_container_username function
Marcin Kuzminski <marcin@python-works.com>
parents:
3161
diff
changeset
|
305 log.debug('Received username %s from container' % username) |
1617
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
306 |
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
307 return username |
1246 | 308 |
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
309 |
2030
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
310 class CookieStoreWrapper(object): |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
311 |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
312 def __init__(self, cookie_store): |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
313 self.cookie_store = cookie_store |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
314 |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
315 def __repr__(self): |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
316 return 'CookieStore<%s>' % (self.cookie_store) |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
317 |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
318 def get(self, key, other=None): |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
319 if isinstance(self.cookie_store, dict): |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
320 return self.cookie_store.get(key, other) |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
321 elif isinstance(self.cookie_store, AuthUser): |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
322 return self.cookie_store.__dict__.get(key, other) |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
323 |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
324 |
190
d8eb7ee27b4c
Added LoginRequired decorator, empty User data container, hash functions
Marcin Kuzminski <marcin@python-works.com>
parents:
96
diff
changeset
|
325 class AuthUser(object): |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
326 """ |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
327 A simple object that handles all attributes of user in RhodeCode |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
328 |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
329 It does lookup based on API key,given user, or user present in session |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
330 Then it fills all required information for such user. It also checks if |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
331 anonymous access is enabled and if so, it returns default user as logged |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
332 in |
190
d8eb7ee27b4c
Added LoginRequired decorator, empty User data container, hash functions
Marcin Kuzminski <marcin@python-works.com>
parents:
96
diff
changeset
|
333 """ |
1016
3790279d2538
#56 added propagation of permission from group
Marcin Kuzminski <marcin@python-works.com>
parents:
991
diff
changeset
|
334 |
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
335 def __init__(self, user_id=None, api_key=None, username=None, ip_addr=None): |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
336 |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
337 self.user_id = user_id |
1120
a8d759613d8f
fixed some bugs in api key auth, added access by api key into rss/atom feeds in global journal
Marcin Kuzminski <marcin@python-works.com>
parents:
1118
diff
changeset
|
338 self.api_key = None |
1617
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
339 self.username = username |
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
340 self.ip_addr = ip_addr |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
341 |
355
5bbcc0cac389
added session remove in forms, and added name and lastname to auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
350
diff
changeset
|
342 self.name = '' |
5bbcc0cac389
added session remove in forms, and added name and lastname to auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
350
diff
changeset
|
343 self.lastname = '' |
404
a10bdd0b05a7
fixed user email for gravatars
Marcin Kuzminski <marcin@python-works.com>
parents:
399
diff
changeset
|
344 self.email = '' |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
345 self.is_authenticated = False |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
346 self.admin = False |
2714
a2eaa0054430
fixed error when disabled anonymous access lead to error on server
Marcin Kuzminski <marcin@python-works.com>
parents:
2709
diff
changeset
|
347 self.inherit_default_permissions = False |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
348 self.permissions = {} |
1120
a8d759613d8f
fixed some bugs in api key auth, added access by api key into rss/atom feeds in global journal
Marcin Kuzminski <marcin@python-works.com>
parents:
1118
diff
changeset
|
349 self._api_key = api_key |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
350 self.propagate_data() |
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
351 self._instance = None |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
352 |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
353 def propagate_data(self): |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
354 user_model = UserModel() |
1728
07e56179633e
- fixes celery sqlalchemy session issues for async forking
Marcin Kuzminski <marcin@python-works.com>
parents:
1718
diff
changeset
|
355 self.anonymous_user = User.get_by_username('default', cache=True) |
1613
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
356 is_user_loaded = False |
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
357 |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
358 # try go get user by api key |
1122
31e82d872631
disabled api key for anonymous users, and added api_key to rss/atom links for other users
Marcin Kuzminski <marcin@python-works.com>
parents:
1120
diff
changeset
|
359 if self._api_key and self._api_key != self.anonymous_user.api_key: |
1976 | 360 log.debug('Auth User lookup by API KEY %s' % self._api_key) |
1618
9353189b7675
Added automatic logout of deactivated/deleted users
Liad Shani <liadff@gmail.com>
parents:
1617
diff
changeset
|
361 is_user_loaded = user_model.fill_data(self, api_key=self._api_key) |
1818
cf51bbfb120e
auto white-space removal
Marcin Kuzminski <marcin@python-works.com>
parents:
1808
diff
changeset
|
362 # lookup by userid |
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
363 elif (self.user_id is not None and |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
364 self.user_id != self.anonymous_user.user_id): |
1976 | 365 log.debug('Auth User lookup by USER ID %s' % self.user_id) |
1618
9353189b7675
Added automatic logout of deactivated/deleted users
Liad Shani <liadff@gmail.com>
parents:
1617
diff
changeset
|
366 is_user_loaded = user_model.fill_data(self, user_id=self.user_id) |
1808
ff788e390497
fix issue #323 auth by suername only if container auth is enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
1749
diff
changeset
|
367 # lookup by username |
ff788e390497
fix issue #323 auth by suername only if container auth is enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
1749
diff
changeset
|
368 elif self.username and \ |
ff788e390497
fix issue #323 auth by suername only if container auth is enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
1749
diff
changeset
|
369 str2bool(config.get('container_auth_enabled', False)): |
1818
cf51bbfb120e
auto white-space removal
Marcin Kuzminski <marcin@python-works.com>
parents:
1808
diff
changeset
|
370 |
1976 | 371 log.debug('Auth User lookup by USER NAME %s' % self.username) |
1621
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
372 dbuser = login_container_auth(self.username) |
cbc2b1913cdf
Added basic automatic user creation for container auth
Liad Shani <liadff@gmail.com>
parents:
1618
diff
changeset
|
373 if dbuser is not None: |
2709
d2d35cf2b351
RhodeCode now has a option to explicitly set forking permissions. ref #508
Marcin Kuzminski <marcin@python-works.com>
parents:
2634
diff
changeset
|
374 log.debug('filling all attributes to object') |
1613
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
375 for k, v in dbuser.get_dict().items(): |
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
376 setattr(self, k, v) |
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
377 self.set_authenticated() |
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
378 is_user_loaded = True |
2045
5b12cbae0b50
fixed issue with sessions that lead to redirection loops
Marcin Kuzminski <marcin@python-works.com>
parents:
2030
diff
changeset
|
379 else: |
5b12cbae0b50
fixed issue with sessions that lead to redirection loops
Marcin Kuzminski <marcin@python-works.com>
parents:
2030
diff
changeset
|
380 log.debug('No data in %s that could been used to log in' % self) |
1613
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
381 |
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
382 if not is_user_loaded: |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
383 # if we cannot authenticate user try anonymous |
1613
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
384 if self.anonymous_user.active is True: |
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
385 user_model.fill_data(self, user_id=self.anonymous_user.user_id) |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
386 # then we set this user is logged in |
1613
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
387 self.is_authenticated = True |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
388 else: |
1618
9353189b7675
Added automatic logout of deactivated/deleted users
Liad Shani <liadff@gmail.com>
parents:
1617
diff
changeset
|
389 self.user_id = None |
9353189b7675
Added automatic logout of deactivated/deleted users
Liad Shani <liadff@gmail.com>
parents:
1617
diff
changeset
|
390 self.username = None |
1613
6cab36e31f09
Added container-based authentication support
Liad Shani <liadff@gmail.com>
parents:
1425
diff
changeset
|
391 self.is_authenticated = False |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
392 |
1617
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
393 if not self.username: |
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
394 self.username = 'None' |
cf128ced8c85
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
Liad Shani <liadff@gmail.com>
parents:
1614
diff
changeset
|
395 |
1976 | 396 log.debug('Auth User is now %s' % self) |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
397 user_model.fill_perms(self) |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
398 |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
399 @property |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
400 def is_admin(self): |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
401 return self.admin |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
402 |
3146
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
403 @property |
3371
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
404 def repos_admin(self): |
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
405 """ |
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
406 Returns list of repositories you're an admin of |
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
407 """ |
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
408 return [x[0] for x in self.permissions['repositories'].iteritems() |
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
409 if x[1] == 'repository.admin'] |
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
410 |
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
411 @property |
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
412 def groups_admin(self): |
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
413 """ |
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
414 Returns list of repositories groups you're an admin of |
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
415 """ |
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
416 return [x[0] for x in self.permissions['repositories_groups'].iteritems() |
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
417 if x[1] == 'group.admin'] |
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
418 |
199fd214b213
Show admin dropdown for users who are admin of repo groups
Marcin Kuzminski <marcin@python-works.com>
parents:
3370
diff
changeset
|
419 @property |
3146
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
420 def ip_allowed(self): |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
421 """ |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
422 Checks if ip_addr used in constructor is allowed from defined list of |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
423 allowed ip_addresses for user |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
424 |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
425 :returns: boolean, True if ip is in allowed ip range |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
426 """ |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
427 #check IP |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
428 allowed_ips = AuthUser.get_allowed_ips(self.user_id, cache=True) |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
429 if check_ip_access(source_ip=self.ip_addr, allowed_ips=allowed_ips): |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
430 log.debug('IP:%s is in range of %s' % (self.ip_addr, allowed_ips)) |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
431 return True |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
432 else: |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
433 log.info('Access for IP:%s forbidden, ' |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
434 'not in %s' % (self.ip_addr, allowed_ips)) |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
435 return False |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
436 |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
437 def __repr__(self): |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
438 return "<AuthUser('id:%s:%s|%s')>" % (self.user_id, self.username, |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
439 self.is_authenticated) |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
440 |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
441 def set_authenticated(self, authenticated=True): |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
442 if self.user_id != self.anonymous_user.user_id: |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
443 self.is_authenticated = authenticated |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
444 |
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
445 def get_cookie_store(self): |
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
446 return {'username': self.username, |
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
447 'user_id': self.user_id, |
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
448 'is_authenticated': self.is_authenticated} |
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
449 |
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
450 @classmethod |
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
451 def from_cookie_store(cls, cookie_store): |
2030
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
452 """ |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
453 Creates AuthUser from a cookie store |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
454 |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
455 :param cls: |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
456 :param cookie_store: |
61f9aeb2129e
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability
Marcin Kuzminski <marcin@python-works.com>
parents:
2025
diff
changeset
|
457 """ |
1718
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
458 user_id = cookie_store.get('user_id') |
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
459 username = cookie_store.get('username') |
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
460 api_key = cookie_store.get('api_key') |
f78bee8eec78
reduce cookie size for better support of client side sessions
Marcin Kuzminski <marcin@python-works.com>
parents:
1716
diff
changeset
|
461 return AuthUser(user_id, api_key, username) |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
462 |
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
463 @classmethod |
3146
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
464 def get_allowed_ips(cls, user_id, cache=False): |
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
465 _set = set() |
3146
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
466 user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id) |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
467 if cache: |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
468 user_ips = user_ips.options(FromCache("sql_cache_short", |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
469 "get_user_ips_%s" % user_id)) |
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
470 for ip in user_ips: |
3212
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
471 try: |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
472 _set.add(ip.ip_addr) |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
473 except ObjectDeletedError: |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
474 # since we use heavy caching sometimes it happens that we get |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
475 # deleted objects here, we just skip them |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
476 pass |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
477 return _set or set(['0.0.0.0/0', '::/0']) |
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
478 |
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
479 |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
480 def set_available_permissions(config): |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
481 """ |
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
482 This function will propagate pylons globals with all available defined |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
483 permission given in db. We don't want to check each time from db for new |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
484 permissions since adding a new permission also requires application restart |
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
485 ie. to decorate new views with the newly created permission |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
486 |
895
62c04c5cc971
Added some more details into user edit permissions view
Marcin Kuzminski <marcin@python-works.com>
parents:
779
diff
changeset
|
487 :param config: current pylons config instance |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
488 |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
489 """ |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
490 log.info('getting information about all available permissions') |
350
664a5b8c551a
Added application settings, are now customizable from database
Marcin Kuzminski <marcin@python-works.com>
parents:
343
diff
changeset
|
491 try: |
1749
8ecc6b8229a5
commit less models
Marcin Kuzminski <marcin@python-works.com>
parents:
1728
diff
changeset
|
492 sa = meta.Session |
350
664a5b8c551a
Added application settings, are now customizable from database
Marcin Kuzminski <marcin@python-works.com>
parents:
343
diff
changeset
|
493 all_perms = sa.query(Permission).all() |
1950
4ae17f819ee8
#344 optional firstname lastname on user creation
Marcin Kuzminski <marcin@python-works.com>
parents:
1824
diff
changeset
|
494 except Exception: |
629
7e536d1af60d
Code refactoring,models renames
Marcin Kuzminski <marcin@python-works.com>
parents:
612
diff
changeset
|
495 pass |
350
664a5b8c551a
Added application settings, are now customizable from database
Marcin Kuzminski <marcin@python-works.com>
parents:
343
diff
changeset
|
496 finally: |
664a5b8c551a
Added application settings, are now customizable from database
Marcin Kuzminski <marcin@python-works.com>
parents:
343
diff
changeset
|
497 meta.Session.remove() |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
498 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
499 config['available_permissions'] = [x.permission_name for x in all_perms] |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
500 |
1246 | 501 |
502 #============================================================================== | |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
503 # CHECK DECORATORS |
1246 | 504 #============================================================================== |
190
d8eb7ee27b4c
Added LoginRequired decorator, empty User data container, hash functions
Marcin Kuzminski <marcin@python-works.com>
parents:
96
diff
changeset
|
505 class LoginRequired(object): |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
506 """ |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
507 Must be logged in to execute this function else |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
508 redirect to login page |
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1195
diff
changeset
|
509 |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
510 :param api_access: if enabled this checks only for valid auth token |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
511 and grants access based on valid token |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
512 """ |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
513 |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
514 def __init__(self, api_access=False): |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
515 self.api_access = api_access |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
516 |
190
d8eb7ee27b4c
Added LoginRequired decorator, empty User data container, hash functions
Marcin Kuzminski <marcin@python-works.com>
parents:
96
diff
changeset
|
517 def __call__(self, func): |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
518 return decorator(self.__wrapper, func) |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
519 |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
520 def __wrapper(self, func, *fargs, **fkwargs): |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
521 cls = fargs[0] |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
522 user = cls.rhodecode_user |
3146
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
523 loc = "%s:%s" % (cls.__class__.__name__, func.__name__) |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
524 |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
525 #check IP |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
526 ip_access_ok = True |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
527 if not user.ip_allowed: |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
528 from rhodecode.lib import helpers as h |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
529 h.flash(h.literal(_('IP %s not allowed' % (user.ip_addr))), |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
530 category='warning') |
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
531 ip_access_ok = False |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
532 |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
533 api_access_ok = False |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
534 if self.api_access: |
1976 | 535 log.debug('Checking API KEY access for %s' % cls) |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
536 if user.api_key == request.GET.get('api_key'): |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
537 api_access_ok = True |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
538 else: |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
539 log.debug("API KEY token not valid") |
3146
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
540 |
2025
7e979933ffec
more work on improving info logging
Marcin Kuzminski <marcin@python-works.com>
parents:
2000
diff
changeset
|
541 log.debug('Checking if %s is authenticated @ %s' % (user.username, loc)) |
3146
c5169e445fb8
Full IP restrictions enabled
Marcin Kuzminski <marcin@python-works.com>
parents:
3137
diff
changeset
|
542 if (user.is_authenticated or api_access_ok) and ip_access_ok: |
2458
ba49541187d9
Little more verbose logging for auth
Marcin Kuzminski <marcin@python-works.com>
parents:
2278
diff
changeset
|
543 reason = 'RegularAuth' if user.is_authenticated else 'APIAuth' |
ba49541187d9
Little more verbose logging for auth
Marcin Kuzminski <marcin@python-works.com>
parents:
2278
diff
changeset
|
544 log.info('user %s is authenticated and granted access to %s ' |
ba49541187d9
Little more verbose logging for auth
Marcin Kuzminski <marcin@python-works.com>
parents:
2278
diff
changeset
|
545 'using %s' % (user.username, loc, reason) |
2025
7e979933ffec
more work on improving info logging
Marcin Kuzminski <marcin@python-works.com>
parents:
2000
diff
changeset
|
546 ) |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
547 return func(*fargs, **fkwargs) |
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
548 else: |
2025
7e979933ffec
more work on improving info logging
Marcin Kuzminski <marcin@python-works.com>
parents:
2000
diff
changeset
|
549 log.warn('user %s NOT authenticated on func: %s' % ( |
7e979933ffec
more work on improving info logging
Marcin Kuzminski <marcin@python-works.com>
parents:
2000
diff
changeset
|
550 user, loc) |
7e979933ffec
more work on improving info logging
Marcin Kuzminski <marcin@python-works.com>
parents:
2000
diff
changeset
|
551 ) |
1207
e61b7ba293db
changed the way of generating url for came_from
Marcin Kuzminski <marcin@python-works.com>
parents:
1206
diff
changeset
|
552 p = url.current() |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
553 |
1976 | 554 log.debug('redirecting to login page with %s' % p) |
474
a3d9d24acbec
Implemented password reset(forms/models/ tasks) and mailing tasks.
Marcin Kuzminski <marcin@python-works.com>
parents:
442
diff
changeset
|
555 return redirect(url('login_home', came_from=p)) |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
556 |
1246 | 557 |
779
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
558 class NotAnonymous(object): |
1716
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
559 """ |
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
560 Must be logged in to execute this function else |
779
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
561 redirect to login page""" |
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
562 |
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
563 def __call__(self, func): |
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
564 return decorator(self.__wrapper, func) |
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
565 |
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
566 def __wrapper(self, func, *fargs, **fkwargs): |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
567 cls = fargs[0] |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
568 self.user = cls.rhodecode_user |
779
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
569 |
1976 | 570 log.debug('Checking if user is not anonymous @%s' % cls) |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
571 |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
572 anonymous = self.user.username == 'default' |
779
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
573 |
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
574 if anonymous: |
1335
40c8d18102a9
fixed redirection link in notAnonymous decorator
Marcin Kuzminski <marcin@python-works.com>
parents:
1307
diff
changeset
|
575 p = url.current() |
1056
520d27f40b51
#113 removed anonymous access from forking, added system messages in login box.
Marcin Kuzminski <marcin@python-works.com>
parents:
1040
diff
changeset
|
576 |
520d27f40b51
#113 removed anonymous access from forking, added system messages in login box.
Marcin Kuzminski <marcin@python-works.com>
parents:
1040
diff
changeset
|
577 import rhodecode.lib.helpers as h |
1246 | 578 h.flash(_('You need to be a registered user to ' |
579 'perform this action'), | |
1056
520d27f40b51
#113 removed anonymous access from forking, added system messages in login box.
Marcin Kuzminski <marcin@python-works.com>
parents:
1040
diff
changeset
|
580 category='warning') |
779
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
581 return redirect(url('login_home', came_from=p)) |
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
582 else: |
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
583 return func(*fargs, **fkwargs) |
389d02a5df52
Added isanonymous decorator for checking permissions for anonymous access
Marcin Kuzminski <marcin@python-works.com>
parents:
761
diff
changeset
|
584 |
1246 | 585 |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
586 class PermsDecorator(object): |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
587 """Base class for controller decorators""" |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
588 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
589 def __init__(self, *required_perms): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
590 available_perms = config['available_permissions'] |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
591 for perm in required_perms: |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
592 if perm not in available_perms: |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
593 raise Exception("'%s' permission is not defined" % perm) |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
594 self.required_perms = set(required_perms) |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
595 self.user_perms = None |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
596 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
597 def __call__(self, func): |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
598 return decorator(self.__wrapper, func) |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
599 |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
600 def __wrapper(self, func, *fargs, **fkwargs): |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
601 cls = fargs[0] |
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
602 self.user = cls.rhodecode_user |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
603 self.user_perms = self.user.permissions |
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
604 log.debug('checking %s permissions %s for %s %s', |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
605 self.__class__.__name__, self.required_perms, cls, self.user) |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
606 |
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
607 if self.check_permissions(): |
1976 | 608 log.debug('Permission granted for %s %s' % (cls, self.user)) |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
609 return func(*fargs, **fkwargs) |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
610 |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
611 else: |
2025
7e979933ffec
more work on improving info logging
Marcin Kuzminski <marcin@python-works.com>
parents:
2000
diff
changeset
|
612 log.debug('Permission denied for %s %s' % (cls, self.user)) |
1336
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
613 anonymous = self.user.username == 'default' |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
614 |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
615 if anonymous: |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
616 p = url.current() |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
617 |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
618 import rhodecode.lib.helpers as h |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
619 h.flash(_('You need to be a signed in to ' |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
620 'view this page'), |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
621 category='warning') |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
622 return redirect(url('login_home', came_from=p)) |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
623 |
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
624 else: |
1628
de71a4bde097
Some code cleanups and fixes
Marcin Kuzminski <marcin@python-works.com>
parents:
1621
diff
changeset
|
625 # redirect with forbidden ret code |
1336
e9fe4ff57cbb
Do a redirect to login for anonymous users
Marcin Kuzminski <marcin@python-works.com>
parents:
1335
diff
changeset
|
626 return abort(403) |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
627 |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
628 def check_permissions(self): |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
629 """Dummy function for overriding""" |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
630 raise Exception('You have to write this function in child class') |
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
631 |
1246 | 632 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
633 class HasPermissionAllDecorator(PermsDecorator): |
1716
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
634 """ |
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
635 Checks for access permission for all given predicates. All of them |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
636 have to be meet in order to fulfill the request |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
637 """ |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
638 |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
639 def check_permissions(self): |
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
640 if self.required_perms.issubset(self.user_perms.get('global')): |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
641 return True |
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
642 return False |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
643 |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
644 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
645 class HasPermissionAnyDecorator(PermsDecorator): |
1716
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
646 """ |
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
647 Checks for access permission for any of given predicates. In order to |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
648 fulfill the request any of predicates must be meet |
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
649 """ |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
650 |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
651 def check_permissions(self): |
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
652 if self.required_perms.intersection(self.user_perms.get('global')): |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
653 return True |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
654 return False |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
655 |
1246 | 656 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
657 class HasRepoPermissionAllDecorator(PermsDecorator): |
1716
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
658 """ |
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
659 Checks for access permission for all given predicates for specific |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
660 repository. All of them have to be meet in order to fulfill the request |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
661 """ |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
662 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
663 def check_permissions(self): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
664 repo_name = get_repo_slug(request) |
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
665 try: |
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
666 user_perms = set([self.user_perms['repositories'][repo_name]]) |
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
667 except KeyError: |
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
668 return False |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
669 if self.required_perms.issubset(user_perms): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
670 return True |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
671 return False |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
672 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
673 |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
674 class HasRepoPermissionAnyDecorator(PermsDecorator): |
1716
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
675 """ |
7d1fc253549e
notification to commit author + gardening
Marcin Kuzminski <marcin@python-works.com>
parents:
1644
diff
changeset
|
676 Checks for access permission for any of given predicates for specific |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
677 repository. In order to fulfill the request any of predicates must be meet |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
678 """ |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
679 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
680 def check_permissions(self): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
681 repo_name = get_repo_slug(request) |
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
682 try: |
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
683 user_perms = set([self.user_perms['repositories'][repo_name]]) |
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
684 except KeyError: |
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
685 return False |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
686 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
687 if self.required_perms.intersection(user_perms): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
688 return True |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
689 return False |
1246 | 690 |
691 | |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
692 class HasReposGroupPermissionAllDecorator(PermsDecorator): |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
693 """ |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
694 Checks for access permission for all given predicates for specific |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
695 repository. All of them have to be meet in order to fulfill the request |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
696 """ |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
697 |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
698 def check_permissions(self): |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
699 group_name = get_repos_group_slug(request) |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
700 try: |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
701 user_perms = set([self.user_perms['repositories_groups'][group_name]]) |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
702 except KeyError: |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
703 return False |
3222
b4daef4cc26d
Group management delegation:
Marcin Kuzminski <marcin@python-works.com>
parents:
3212
diff
changeset
|
704 |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
705 if self.required_perms.issubset(user_perms): |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
706 return True |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
707 return False |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
708 |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
709 |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
710 class HasReposGroupPermissionAnyDecorator(PermsDecorator): |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
711 """ |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
712 Checks for access permission for any of given predicates for specific |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
713 repository. In order to fulfill the request any of predicates must be meet |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
714 """ |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
715 |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
716 def check_permissions(self): |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
717 group_name = get_repos_group_slug(request) |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
718 try: |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
719 user_perms = set([self.user_perms['repositories_groups'][group_name]]) |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
720 except KeyError: |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
721 return False |
3222
b4daef4cc26d
Group management delegation:
Marcin Kuzminski <marcin@python-works.com>
parents:
3212
diff
changeset
|
722 |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
723 if self.required_perms.intersection(user_perms): |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
724 return True |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
725 return False |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
726 |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
727 |
1246 | 728 #============================================================================== |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
729 # CHECK FUNCTIONS |
1246 | 730 #============================================================================== |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
731 class PermsFunction(object): |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
732 """Base function for other check functions""" |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
733 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
734 def __init__(self, *perms): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
735 available_perms = config['available_permissions'] |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
736 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
737 for perm in perms: |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
738 if perm not in available_perms: |
2105
926f55b038bc
added initial rc-extension module
Marcin Kuzminski <marcin@python-works.com>
parents:
2100
diff
changeset
|
739 raise Exception("'%s' permission is not defined" % perm) |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
740 self.required_perms = set(perms) |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
741 self.user_perms = None |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
742 self.repo_name = None |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
743 self.group_name = None |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
744 |
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
745 def __call__(self, check_location=''): |
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
746 #TODO: put user as attribute here |
1728
07e56179633e
- fixes celery sqlalchemy session issues for async forking
Marcin Kuzminski <marcin@python-works.com>
parents:
1718
diff
changeset
|
747 user = request.user |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
748 cls_name = self.__class__.__name__ |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
749 check_scope = { |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
750 'HasPermissionAll': '', |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
751 'HasPermissionAny': '', |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
752 'HasRepoPermissionAll': 'repo:%s' % self.repo_name, |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
753 'HasRepoPermissionAny': 'repo:%s' % self.repo_name, |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
754 'HasReposGroupPermissionAll': 'group:%s' % self.group_name, |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
755 'HasReposGroupPermissionAny': 'group:%s' % self.group_name, |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
756 }.get(cls_name, '?') |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
757 log.debug('checking cls:%s %s usr:%s %s @ %s', cls_name, |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
758 self.required_perms, user, check_scope, |
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
759 check_location or 'unspecified location') |
333 | 760 if not user: |
2045
5b12cbae0b50
fixed issue with sessions that lead to redirection loops
Marcin Kuzminski <marcin@python-works.com>
parents:
2030
diff
changeset
|
761 log.debug('Empty request user') |
333 | 762 return False |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
763 self.user_perms = user.permissions |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
764 if self.check_permissions(): |
3137
6c705abed11a
logging: include more info in grant/deny log entries
Mads Kiilerich <madski@unity3d.com>
parents:
3125
diff
changeset
|
765 log.debug('Permission to %s granted for user: %s @ %s', self.repo_name, user, |
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
766 check_location or 'unspecified location') |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
767 return True |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
768 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
769 else: |
3137
6c705abed11a
logging: include more info in grant/deny log entries
Mads Kiilerich <madski@unity3d.com>
parents:
3125
diff
changeset
|
770 log.debug('Permission to %s denied for user: %s @ %s', self.repo_name, user, |
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
771 check_location or 'unspecified location') |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
772 return False |
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
773 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
774 def check_permissions(self): |
377
bd8b25ad058d
Fixed decorators bug when using them with keyworded arguments,new implementation takes new approach that is more flexible
Marcin Kuzminski <marcin@python-works.com>
parents:
371
diff
changeset
|
775 """Dummy function for overriding""" |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
776 raise Exception('You have to write this function in child class') |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
777 |
1246 | 778 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
779 class HasPermissionAll(PermsFunction): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
780 def check_permissions(self): |
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
781 if self.required_perms.issubset(self.user_perms.get('global')): |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
782 return True |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
783 return False |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
784 |
1246 | 785 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
786 class HasPermissionAny(PermsFunction): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
787 def check_permissions(self): |
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
788 if self.required_perms.intersection(self.user_perms.get('global')): |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
789 return True |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
790 return False |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
791 |
1246 | 792 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
793 class HasRepoPermissionAll(PermsFunction): |
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
794 def __call__(self, repo_name=None, check_location=''): |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
795 self.repo_name = repo_name |
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
796 return super(HasRepoPermissionAll, self).__call__(check_location) |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
797 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
798 def check_permissions(self): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
799 if not self.repo_name: |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
800 self.repo_name = get_repo_slug(request) |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
801 |
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
802 try: |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
803 self._user_perms = set( |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
804 [self.user_perms['repositories'][self.repo_name]] |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
805 ) |
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
806 except KeyError: |
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
807 return False |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
808 if self.required_perms.issubset(self._user_perms): |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
809 return True |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
810 return False |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
811 |
1246 | 812 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
813 class HasRepoPermissionAny(PermsFunction): |
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
814 def __call__(self, repo_name=None, check_location=''): |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
815 self.repo_name = repo_name |
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
816 return super(HasRepoPermissionAny, self).__call__(check_location) |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
817 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
818 def check_permissions(self): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
819 if not self.repo_name: |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
820 self.repo_name = get_repo_slug(request) |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
821 |
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
822 try: |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
823 self._user_perms = set( |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
824 [self.user_perms['repositories'][self.repo_name]] |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
825 ) |
339
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
826 except KeyError: |
5d517bbf0a0d
some extra checks for auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
333
diff
changeset
|
827 return False |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
828 if self.required_perms.intersection(self._user_perms): |
239
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
829 return True |
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
830 return False |
b18f89d6d17f
Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.
Marcin Kuzminski <marcin@python-works.com>
parents:
234
diff
changeset
|
831 |
1246 | 832 |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
833 class HasReposGroupPermissionAny(PermsFunction): |
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
834 def __call__(self, group_name=None, check_location=''): |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
835 self.group_name = group_name |
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
836 return super(HasReposGroupPermissionAny, self).__call__(check_location) |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
837 |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
838 def check_permissions(self): |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
839 try: |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
840 self._user_perms = set( |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
841 [self.user_perms['repositories_groups'][self.group_name]] |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
842 ) |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
843 except KeyError: |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
844 return False |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
845 if self.required_perms.intersection(self._user_perms): |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
846 return True |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
847 return False |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
848 |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
849 |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
850 class HasReposGroupPermissionAll(PermsFunction): |
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
851 def __call__(self, group_name=None, check_location=''): |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
852 self.group_name = group_name |
3313
14697de1598f
refactor check_Location => check_location
Marcin Kuzminski <marcin@python-works.com>
parents:
3222
diff
changeset
|
853 return super(HasReposGroupPermissionAll, self).__call__(check_location) |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
854 |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
855 def check_permissions(self): |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
856 try: |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
857 self._user_perms = set( |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
858 [self.user_perms['repositories_groups'][self.group_name]] |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
859 ) |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
860 except KeyError: |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
861 return False |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
862 if self.required_perms.issubset(self._user_perms): |
1982
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
863 return True |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
864 return False |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
865 |
87f0800abc7b
#227 Initial version of repository groups permissions system
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
866 |
1246 | 867 #============================================================================== |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
868 # SPECIAL VERSION TO HANDLE MIDDLEWARE AUTH |
1246 | 869 #============================================================================== |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
870 class HasPermissionAnyMiddleware(object): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
871 def __init__(self, *perms): |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
872 self.required_perms = set(perms) |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
873 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
874 def __call__(self, user, repo_name): |
2100
f0649c7cf94a
fixed some unicode problems with waitress
Marcin Kuzminski <marcin@python-works.com>
parents:
2045
diff
changeset
|
875 # repo_name MUST be unicode, since we handle keys in permission |
f0649c7cf94a
fixed some unicode problems with waitress
Marcin Kuzminski <marcin@python-works.com>
parents:
2045
diff
changeset
|
876 # dict by unicode |
f0649c7cf94a
fixed some unicode problems with waitress
Marcin Kuzminski <marcin@python-works.com>
parents:
2045
diff
changeset
|
877 repo_name = safe_unicode(repo_name) |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
878 usr = AuthUser(user.user_id) |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
879 try: |
1117
6eb5bb24a948
Major rewrite of auth objects. Moved parts of filling user data into user model.
Marcin Kuzminski <marcin@python-works.com>
parents:
1116
diff
changeset
|
880 self.user_perms = set([usr.permissions['repositories'][repo_name]]) |
2100
f0649c7cf94a
fixed some unicode problems with waitress
Marcin Kuzminski <marcin@python-works.com>
parents:
2045
diff
changeset
|
881 except Exception: |
2109 | 882 log.error('Exception while accessing permissions %s' % |
2100
f0649c7cf94a
fixed some unicode problems with waitress
Marcin Kuzminski <marcin@python-works.com>
parents:
2045
diff
changeset
|
883 traceback.format_exc()) |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
884 self.user_perms = set() |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
885 self.username = user.username |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
886 self.repo_name = repo_name |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
887 return self.check_permissions() |
673
dd532af216d9
#49 Enabled anonymous access for web interface controllable from permissions pannel
Marcin Kuzminski <marcin@python-works.com>
parents:
629
diff
changeset
|
888 |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
889 def check_permissions(self): |
2726
aa17c7a1b8a5
Implemented basic locking functionality.
Marcin Kuzminski <marcin@python-works.com>
parents:
2714
diff
changeset
|
890 log.debug('checking VCS protocol ' |
1040
8e49b6ceffe1
fixes fixes fixes ! optimized queries on journal
Marcin Kuzminski <marcin@python-works.com>
parents:
1036
diff
changeset
|
891 'permissions %s for user:%s repository:%s', self.user_perms, |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
892 self.username, self.repo_name) |
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
893 if self.required_perms.intersection(self.user_perms): |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
894 log.debug('permission granted for user:%s on repo:%s' % ( |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
895 self.username, self.repo_name |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
896 ) |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
897 ) |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
898 return True |
2125
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
899 log.debug('permission denied for user:%s on repo:%s' % ( |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
900 self.username, self.repo_name |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
901 ) |
097327aaf2ad
more detailed logging on auth system
Marcin Kuzminski <marcin@python-works.com>
parents:
2109
diff
changeset
|
902 ) |
316
d6e2817734d2
Full rewrite of auth module, new functions/decorators. FIxed auth user
Marcin Kuzminski <marcin@python-works.com>
parents:
299
diff
changeset
|
903 return False |
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
904 |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
905 |
3161
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
906 #============================================================================== |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
907 # SPECIAL VERSION TO HANDLE API AUTH |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
908 #============================================================================== |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
909 class _BaseApiPerm(object): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
910 def __init__(self, *perms): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
911 self.required_perms = set(perms) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
912 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
913 def __call__(self, check_location='unspecified', user=None, repo_name=None): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
914 cls_name = self.__class__.__name__ |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
915 check_scope = 'user:%s, repo:%s' % (user, repo_name) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
916 log.debug('checking cls:%s %s %s @ %s', cls_name, |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
917 self.required_perms, check_scope, check_location) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
918 if not user: |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
919 log.debug('Empty User passed into arguments') |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
920 return False |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
921 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
922 ## process user |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
923 if not isinstance(user, AuthUser): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
924 user = AuthUser(user.user_id) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
925 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
926 if self.check_permissions(user.permissions, repo_name): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
927 log.debug('Permission to %s granted for user: %s @ %s', repo_name, |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
928 user, check_location) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
929 return True |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
930 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
931 else: |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
932 log.debug('Permission to %s denied for user: %s @ %s', repo_name, |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
933 user, check_location) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
934 return False |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
935 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
936 def check_permissions(self, perm_defs, repo_name): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
937 """ |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
938 implement in child class should return True if permissions are ok, |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
939 False otherwise |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
940 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
941 :param perm_defs: dict with permission definitions |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
942 :param repo_name: repo name |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
943 """ |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
944 raise NotImplementedError() |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
945 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
946 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
947 class HasPermissionAllApi(_BaseApiPerm): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
948 def __call__(self, user, check_location=''): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
949 return super(HasPermissionAllApi, self)\ |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
950 .__call__(check_location=check_location, user=user) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
951 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
952 def check_permissions(self, perm_defs, repo): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
953 if self.required_perms.issubset(perm_defs.get('global')): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
954 return True |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
955 return False |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
956 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
957 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
958 class HasPermissionAnyApi(_BaseApiPerm): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
959 def __call__(self, user, check_location=''): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
960 return super(HasPermissionAnyApi, self)\ |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
961 .__call__(check_location=check_location, user=user) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
962 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
963 def check_permissions(self, perm_defs, repo): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
964 if self.required_perms.intersection(perm_defs.get('global')): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
965 return True |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
966 return False |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
967 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
968 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
969 class HasRepoPermissionAllApi(_BaseApiPerm): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
970 def __call__(self, user, repo_name, check_location=''): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
971 return super(HasRepoPermissionAllApi, self)\ |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
972 .__call__(check_location=check_location, user=user, |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
973 repo_name=repo_name) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
974 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
975 def check_permissions(self, perm_defs, repo_name): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
976 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
977 try: |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
978 self._user_perms = set( |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
979 [perm_defs['repositories'][repo_name]] |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
980 ) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
981 except KeyError: |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
982 log.warning(traceback.format_exc()) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
983 return False |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
984 if self.required_perms.issubset(self._user_perms): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
985 return True |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
986 return False |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
987 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
988 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
989 class HasRepoPermissionAnyApi(_BaseApiPerm): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
990 def __call__(self, user, repo_name, check_location=''): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
991 return super(HasRepoPermissionAnyApi, self)\ |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
992 .__call__(check_location=check_location, user=user, |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
993 repo_name=repo_name) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
994 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
995 def check_permissions(self, perm_defs, repo_name): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
996 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
997 try: |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
998 _user_perms = set( |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
999 [perm_defs['repositories'][repo_name]] |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1000 ) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1001 except KeyError: |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1002 log.warning(traceback.format_exc()) |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1003 return False |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1004 if self.required_perms.intersection(_user_perms): |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1005 return True |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1006 return False |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1007 |
3563c47e52fd
Implemented API calls for non-admin users for locking/unlocking repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
3146
diff
changeset
|
1008 |
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1009 def check_ip_access(source_ip, allowed_ips=None): |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1010 """ |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1011 Checks if source_ip is a subnet of any of allowed_ips. |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1012 |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1013 :param source_ip: |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1014 :param allowed_ips: list of allowed ips together with mask |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1015 """ |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1016 from rhodecode.lib import ipaddr |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1017 log.debug('checking if ip:%s is subnet of %s' % (source_ip, allowed_ips)) |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1018 if isinstance(allowed_ips, (tuple, list, set)): |
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1019 for ip in allowed_ips: |
3212
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1020 try: |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1021 if ipaddr.IPAddress(source_ip) in ipaddr.IPNetwork(ip): |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1022 return True |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1023 # for any case we cannot determine the IP, don't crash just |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1024 # skip it and log as error, we want to say forbidden still when |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1025 # sending bad IP |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1026 except Exception: |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1027 log.error(traceback.format_exc()) |
6c28533d122c
IP restrictions now also enabled for IPv6
Marcin Kuzminski <marcin@python-works.com>
parents:
3173
diff
changeset
|
1028 continue |
3125
9b92cf5a0cca
Added UserIpMap interface for allowed IP addresses and IP restriction access
Marcin Kuzminski <marcin@python-works.com>
parents:
2726
diff
changeset
|
1029 return False |