Mercurial > kallithea
comparison rhodecode/lib/auth.py @ 3125:9b92cf5a0cca beta
Added UserIpMap interface for allowed IP addresses and IP restriction access
ref #264 IP restriction for users and user groups
author | Marcin Kuzminski <marcin@python-works.com> |
---|---|
date | Sun, 30 Dec 2012 23:06:03 +0100 |
parents | aa17c7a1b8a5 |
children | 6c705abed11a |
comparison
equal
deleted
inserted
replaced
3124:6659c5af04e7 | 3125:9b92cf5a0cca |
---|---|
43 from rhodecode.lib.utils import get_repo_slug, get_repos_group_slug | 43 from rhodecode.lib.utils import get_repo_slug, get_repos_group_slug |
44 from rhodecode.lib.auth_ldap import AuthLdap | 44 from rhodecode.lib.auth_ldap import AuthLdap |
45 | 45 |
46 from rhodecode.model import meta | 46 from rhodecode.model import meta |
47 from rhodecode.model.user import UserModel | 47 from rhodecode.model.user import UserModel |
48 from rhodecode.model.db import Permission, RhodeCodeSetting, User | 48 from rhodecode.model.db import Permission, RhodeCodeSetting, User, UserIpMap |
49 | 49 |
50 log = logging.getLogger(__name__) | 50 log = logging.getLogger(__name__) |
51 | 51 |
52 | 52 |
53 class PasswordGenerator(object): | 53 class PasswordGenerator(object): |
311 Then it fills all required information for such user. It also checks if | 311 Then it fills all required information for such user. It also checks if |
312 anonymous access is enabled and if so, it returns default user as logged | 312 anonymous access is enabled and if so, it returns default user as logged |
313 in | 313 in |
314 """ | 314 """ |
315 | 315 |
316 def __init__(self, user_id=None, api_key=None, username=None): | 316 def __init__(self, user_id=None, api_key=None, username=None, ip_addr=None): |
317 | 317 |
318 self.user_id = user_id | 318 self.user_id = user_id |
319 self.api_key = None | 319 self.api_key = None |
320 self.username = username | 320 self.username = username |
321 self.ip_addr = ip_addr | |
321 | 322 |
322 self.name = '' | 323 self.name = '' |
323 self.lastname = '' | 324 self.lastname = '' |
324 self.email = '' | 325 self.email = '' |
325 self.is_authenticated = False | 326 self.is_authenticated = False |
326 self.admin = False | 327 self.admin = False |
327 self.inherit_default_permissions = False | 328 self.inherit_default_permissions = False |
328 self.permissions = {} | 329 self.permissions = {} |
330 self.allowed_ips = set() | |
329 self._api_key = api_key | 331 self._api_key = api_key |
330 self.propagate_data() | 332 self.propagate_data() |
331 self._instance = None | 333 self._instance = None |
332 | 334 |
333 def propagate_data(self): | 335 def propagate_data(self): |
373 if not self.username: | 375 if not self.username: |
374 self.username = 'None' | 376 self.username = 'None' |
375 | 377 |
376 log.debug('Auth User is now %s' % self) | 378 log.debug('Auth User is now %s' % self) |
377 user_model.fill_perms(self) | 379 user_model.fill_perms(self) |
380 log.debug('Filling Allowed IPs') | |
381 self.allowed_ips = AuthUser.get_allowed_ips(self.user_id) | |
378 | 382 |
379 @property | 383 @property |
380 def is_admin(self): | 384 def is_admin(self): |
381 return self.admin | 385 return self.admin |
382 | 386 |
403 """ | 407 """ |
404 user_id = cookie_store.get('user_id') | 408 user_id = cookie_store.get('user_id') |
405 username = cookie_store.get('username') | 409 username = cookie_store.get('username') |
406 api_key = cookie_store.get('api_key') | 410 api_key = cookie_store.get('api_key') |
407 return AuthUser(user_id, api_key, username) | 411 return AuthUser(user_id, api_key, username) |
412 | |
413 @classmethod | |
414 def get_allowed_ips(cls, user_id): | |
415 _set = set() | |
416 user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id).all() | |
417 for ip in user_ips: | |
418 _set.add(ip.ip_addr) | |
419 return _set or set(['0.0.0.0/0']) | |
408 | 420 |
409 | 421 |
410 def set_available_permissions(config): | 422 def set_available_permissions(config): |
411 """ | 423 """ |
412 This function will propagate pylons globals with all available defined | 424 This function will propagate pylons globals with all available defined |
819 log.debug('permission denied for user:%s on repo:%s' % ( | 831 log.debug('permission denied for user:%s on repo:%s' % ( |
820 self.username, self.repo_name | 832 self.username, self.repo_name |
821 ) | 833 ) |
822 ) | 834 ) |
823 return False | 835 return False |
836 | |
837 | |
838 def check_ip_access(source_ip, allowed_ips=None): | |
839 """ | |
840 Checks if source_ip is a subnet of any of allowed_ips. | |
841 | |
842 :param source_ip: | |
843 :param allowed_ips: list of allowed ips together with mask | |
844 """ | |
845 from rhodecode.lib import ipaddr | |
846 log.debug('checking if ip:%s is subnet of %s' % (source_ip, allowed_ips)) | |
847 if isinstance(allowed_ips, (tuple, list, set)): | |
848 for ip in allowed_ips: | |
849 if ipaddr.IPAddress(source_ip) in ipaddr.IPNetwork(ip): | |
850 return True | |
851 return False |