Mercurial > kallithea
comparison rhodecode/lib/auth.py @ 3125:9b92cf5a0cca beta
Added UserIpMap interface for allowed IP addresses and IP restriction access
ref #264 IP restriction for users and user groups
| author | Marcin Kuzminski <marcin@python-works.com> |
|---|---|
| date | Sun, 30 Dec 2012 23:06:03 +0100 |
| parents | aa17c7a1b8a5 |
| children | 6c705abed11a |
comparison
equal
deleted
inserted
replaced
| 3124:6659c5af04e7 | 3125:9b92cf5a0cca |
|---|---|
| 43 from rhodecode.lib.utils import get_repo_slug, get_repos_group_slug | 43 from rhodecode.lib.utils import get_repo_slug, get_repos_group_slug |
| 44 from rhodecode.lib.auth_ldap import AuthLdap | 44 from rhodecode.lib.auth_ldap import AuthLdap |
| 45 | 45 |
| 46 from rhodecode.model import meta | 46 from rhodecode.model import meta |
| 47 from rhodecode.model.user import UserModel | 47 from rhodecode.model.user import UserModel |
| 48 from rhodecode.model.db import Permission, RhodeCodeSetting, User | 48 from rhodecode.model.db import Permission, RhodeCodeSetting, User, UserIpMap |
| 49 | 49 |
| 50 log = logging.getLogger(__name__) | 50 log = logging.getLogger(__name__) |
| 51 | 51 |
| 52 | 52 |
| 53 class PasswordGenerator(object): | 53 class PasswordGenerator(object): |
| 311 Then it fills all required information for such user. It also checks if | 311 Then it fills all required information for such user. It also checks if |
| 312 anonymous access is enabled and if so, it returns default user as logged | 312 anonymous access is enabled and if so, it returns default user as logged |
| 313 in | 313 in |
| 314 """ | 314 """ |
| 315 | 315 |
| 316 def __init__(self, user_id=None, api_key=None, username=None): | 316 def __init__(self, user_id=None, api_key=None, username=None, ip_addr=None): |
| 317 | 317 |
| 318 self.user_id = user_id | 318 self.user_id = user_id |
| 319 self.api_key = None | 319 self.api_key = None |
| 320 self.username = username | 320 self.username = username |
| 321 self.ip_addr = ip_addr | |
| 321 | 322 |
| 322 self.name = '' | 323 self.name = '' |
| 323 self.lastname = '' | 324 self.lastname = '' |
| 324 self.email = '' | 325 self.email = '' |
| 325 self.is_authenticated = False | 326 self.is_authenticated = False |
| 326 self.admin = False | 327 self.admin = False |
| 327 self.inherit_default_permissions = False | 328 self.inherit_default_permissions = False |
| 328 self.permissions = {} | 329 self.permissions = {} |
| 330 self.allowed_ips = set() | |
| 329 self._api_key = api_key | 331 self._api_key = api_key |
| 330 self.propagate_data() | 332 self.propagate_data() |
| 331 self._instance = None | 333 self._instance = None |
| 332 | 334 |
| 333 def propagate_data(self): | 335 def propagate_data(self): |
| 373 if not self.username: | 375 if not self.username: |
| 374 self.username = 'None' | 376 self.username = 'None' |
| 375 | 377 |
| 376 log.debug('Auth User is now %s' % self) | 378 log.debug('Auth User is now %s' % self) |
| 377 user_model.fill_perms(self) | 379 user_model.fill_perms(self) |
| 380 log.debug('Filling Allowed IPs') | |
| 381 self.allowed_ips = AuthUser.get_allowed_ips(self.user_id) | |
| 378 | 382 |
| 379 @property | 383 @property |
| 380 def is_admin(self): | 384 def is_admin(self): |
| 381 return self.admin | 385 return self.admin |
| 382 | 386 |
| 403 """ | 407 """ |
| 404 user_id = cookie_store.get('user_id') | 408 user_id = cookie_store.get('user_id') |
| 405 username = cookie_store.get('username') | 409 username = cookie_store.get('username') |
| 406 api_key = cookie_store.get('api_key') | 410 api_key = cookie_store.get('api_key') |
| 407 return AuthUser(user_id, api_key, username) | 411 return AuthUser(user_id, api_key, username) |
| 412 | |
| 413 @classmethod | |
| 414 def get_allowed_ips(cls, user_id): | |
| 415 _set = set() | |
| 416 user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id).all() | |
| 417 for ip in user_ips: | |
| 418 _set.add(ip.ip_addr) | |
| 419 return _set or set(['0.0.0.0/0']) | |
| 408 | 420 |
| 409 | 421 |
| 410 def set_available_permissions(config): | 422 def set_available_permissions(config): |
| 411 """ | 423 """ |
| 412 This function will propagate pylons globals with all available defined | 424 This function will propagate pylons globals with all available defined |
| 819 log.debug('permission denied for user:%s on repo:%s' % ( | 831 log.debug('permission denied for user:%s on repo:%s' % ( |
| 820 self.username, self.repo_name | 832 self.username, self.repo_name |
| 821 ) | 833 ) |
| 822 ) | 834 ) |
| 823 return False | 835 return False |
| 836 | |
| 837 | |
| 838 def check_ip_access(source_ip, allowed_ips=None): | |
| 839 """ | |
| 840 Checks if source_ip is a subnet of any of allowed_ips. | |
| 841 | |
| 842 :param source_ip: | |
| 843 :param allowed_ips: list of allowed ips together with mask | |
| 844 """ | |
| 845 from rhodecode.lib import ipaddr | |
| 846 log.debug('checking if ip:%s is subnet of %s' % (source_ip, allowed_ips)) | |
| 847 if isinstance(allowed_ips, (tuple, list, set)): | |
| 848 for ip in allowed_ips: | |
| 849 if ipaddr.IPAddress(source_ip) in ipaddr.IPNetwork(ip): | |
| 850 return True | |
| 851 return False |