Show More
| @@ -0,0 +1,61 b'' | |||
|
|
1 | ||
|
|
2 | ||
|
|
3 | <div class="panel panel-default"> | |
|
|
4 | <div class="panel-heading"> | |
|
|
5 | <h3 class="panel-title">${_('View whitelist')}</h3> | |
|
|
6 | </div> | |
|
|
7 | <div class="panel-body"> | |
|
|
8 | <div class=""> | |
|
|
9 | ||
|
|
10 | <p class="pr-description"> | |
|
|
11 | View white list defines a set of views that can be accessed using auth token without the need to login. | |
|
|
12 | Adding ?auth_token = SECRET_TOKEN to the url authenticates this request as if it | |
|
|
13 | came from the the logged in user who owns this authentication token. | |
|
|
14 | ||
|
|
15 | E.g. adding `RepoFilesView.repo_file_raw` allows to access a raw diff using such url: | |
|
|
16 | http[s]://server.com/{repo_name}/raw/{commit_id}/{file_path}?auth_token=SECRET_TOKEN | |
|
|
17 | ||
|
|
18 | White list can be defined inside `${c.whitelist_file}` under `${c.whitelist_key}=` setting | |
|
|
19 | ||
|
|
20 | Currently under this settings following views are set: | |
|
|
21 | </p> | |
|
|
22 | ||
|
|
23 | <pre> | |
|
|
24 | % for entry in c.whitelist_views: | |
|
|
25 | ${entry} | |
|
|
26 | % endfor | |
|
|
27 | </pre> | |
|
|
28 | ||
|
|
29 | </div> | |
|
|
30 | ||
|
|
31 | </div> | |
|
|
32 | </div> | |
|
|
33 | ||
|
|
34 | ||
|
|
35 | <div class="panel panel-default"> | |
|
|
36 | <div class="panel-heading"> | |
|
|
37 | <h3 class="panel-title">${_('List of views available for usage in whitelist access')}</h3> | |
|
|
38 | </div> | |
|
|
39 | <div class="panel-body"> | |
|
|
40 | <div class=""> | |
|
|
41 | ||
|
|
42 | ||
|
|
43 | <table class="rctable ip-whitelist"> | |
|
|
44 | <tr> | |
|
|
45 | <th>Active</th> | |
|
|
46 | <th>View FQN</th> | |
|
|
47 | <th>URL pattern</th> | |
|
|
48 | </tr> | |
|
|
49 | ||
|
|
50 | % for route_name, view_fqn, view_url, active in c.view_data: | |
|
|
51 | <tr> | |
|
|
52 | <td class="td-x">${h.bool2icon(active)}</td> | |
|
|
53 | <td class="td-x">${view_fqn}</td> | |
|
|
54 | <td class="td-x" title="${route_name}">${view_url}</td> | |
|
|
55 | </tr> | |
|
|
56 | % endfor | |
|
|
57 | </table> | |
|
|
58 | </div> | |
|
|
59 | ||
|
|
60 | </div> | |
|
|
61 | </div> | |
| @@ -201,22 +201,21 b' rss_include_diff = false' | |||
|
|
201 | 201 | ## RhodeCode url, ie. http[s]://rhodecode.server/_admin/gists/{gistid} |
|
|
202 | 202 | gist_alias_url = |
|
|
203 | 203 | |
|
|
204 |
## List of |
|
|
|
204 | ## List of views (using glob pattern syntax) that AUTH TOKENS could be | |
|
|
205 | 205 | ## used for access. |
|
|
206 | 206 | ## Adding ?auth_token=TOKEN_HASH to the url authenticates this request as if it |
|
|
207 | 207 | ## came from the the logged in user who own this authentication token. |
|
|
208 | 208 | ## |
|
|
209 | ## Syntax is ControllerClass:function_pattern. | |
|
|
210 | ## To enable access to raw_files put `FilesController:raw`. | |
|
|
211 | ## To enable access to patches add `ChangesetController:changeset_patch`. | |
|
|
209 | ## list of all views can be found under `_admin/permissions/auth_token_access` | |
|
|
212 | 210 | ## The list should be "," separated and on a single line. |
|
|
213 | 211 | ## |
|
|
214 |
## |
|
|
|
215 |
# ChangesetController:changeset_patch |
|
|
|
216 |
# ChangesetController:changeset_raw |
|
|
|
217 | # FilesController:raw, | |
|
|
218 |
# |
|
|
|
219 | # GistsController:*, | |
|
|
212 | ## Most common views to enable: | |
|
|
213 | # ChangesetController:changeset_patch | |
|
|
214 | # ChangesetController:changeset_raw | |
|
|
215 | # RepoFilesView.repo_files_diff | |
|
|
216 | # RepoFilesView.repo_archivefile | |
|
|
217 | # RepoFilesView.repo_file_raw | |
|
|
218 | # GistView:* | |
|
|
220 | 219 | api_access_controllers_whitelist = |
|
|
221 | 220 | |
|
|
222 | 221 | ## default encoding used to convert from and to unicode |
| @@ -175,22 +175,21 b' rss_include_diff = false' | |||
|
|
175 | 175 | ## RhodeCode url, ie. http[s]://rhodecode.server/_admin/gists/{gistid} |
|
|
176 | 176 | gist_alias_url = |
|
|
177 | 177 | |
|
|
178 |
## List of |
|
|
|
178 | ## List of views (using glob pattern syntax) that AUTH TOKENS could be | |
|
|
179 | 179 | ## used for access. |
|
|
180 | 180 | ## Adding ?auth_token=TOKEN_HASH to the url authenticates this request as if it |
|
|
181 | 181 | ## came from the the logged in user who own this authentication token. |
|
|
182 | 182 | ## |
|
|
183 | ## Syntax is ControllerClass:function_pattern. | |
|
|
184 | ## To enable access to raw_files put `FilesController:raw`. | |
|
|
185 | ## To enable access to patches add `ChangesetController:changeset_patch`. | |
|
|
183 | ## list of all views can be found under `_admin/permissions/auth_token_access` | |
|
|
186 | 184 | ## The list should be "," separated and on a single line. |
|
|
187 | 185 | ## |
|
|
188 |
## |
|
|
|
189 |
# ChangesetController:changeset_patch |
|
|
|
190 |
# ChangesetController:changeset_raw |
|
|
|
191 | # FilesController:raw, | |
|
|
192 |
# |
|
|
|
193 | # GistsController:*, | |
|
|
186 | ## Most common views to enable: | |
|
|
187 | # ChangesetController:changeset_patch | |
|
|
188 | # ChangesetController:changeset_raw | |
|
|
189 | # RepoFilesView.repo_files_diff | |
|
|
190 | # RepoFilesView.repo_archivefile | |
|
|
191 | # RepoFilesView.repo_file_raw | |
|
|
192 | # GistView:* | |
|
|
194 | 193 | api_access_controllers_whitelist = |
|
|
195 | 194 | |
|
|
196 | 195 | ## default encoding used to convert from and to unicode |
| @@ -102,6 +102,10 b' def admin_routes(config):' | |||
|
|
102 | 102 | name='admin_permissions_overview', |
|
|
103 | 103 | pattern='/permissions/overview') |
|
|
104 | 104 | |
|
|
105 | config.add_route( | |
|
|
106 | name='admin_permissions_auth_token_access', | |
|
|
107 | pattern='/permissions/auth_token_access') | |
|
|
108 | ||
|
|
105 | 109 | # users admin |
|
|
106 | 110 | config.add_route( |
|
|
107 | 111 | name='users', |
| @@ -18,8 +18,10 b'' | |||
|
|
18 | 18 | # RhodeCode Enterprise Edition, including its added features, Support services, |
|
|
19 | 19 | # and proprietary license terms, please see https://rhodecode.com/licenses/ |
|
|
20 | 20 | |
|
|
21 | import re | |
|
|
21 | 22 | import logging |
|
|
22 | 23 | import formencode |
|
|
24 | from pyramid.interfaces import IRoutesMapper | |
|
|
23 | 25 | |
|
|
24 | 26 | from pyramid.view import view_config |
|
|
25 | 27 | from pyramid.httpexceptions import HTTPFound |
| @@ -31,6 +33,7 b' from rhodecode.apps._base import BaseApp' | |||
|
|
31 | 33 | from rhodecode.lib import helpers as h |
|
|
32 | 34 | from rhodecode.lib.auth import ( |
|
|
33 | 35 | LoginRequired, HasPermissionAllDecorator, CSRFRequired) |
|
|
36 | from rhodecode.lib.utils2 import aslist | |
|
|
34 | 37 | from rhodecode.model.db import User, UserIpMap |
|
|
35 | 38 | from rhodecode.model.forms import ( |
|
|
36 | 39 | ApplicationPermissionsForm, ObjectPermissionsForm, UserPermissionsForm) |
| @@ -308,3 +311,59 b' class AdminPermissionsView(BaseAppView):' | |||
|
|
308 | 311 | c.user = User.get_default_user(refresh=True) |
|
|
309 | 312 | c.perm_user = c.user.AuthUser |
|
|
310 | 313 | return self._get_template_context(c) |
|
|
314 | ||
|
|
315 | @LoginRequired() | |
|
|
316 | @HasPermissionAllDecorator('hg.admin') | |
|
|
317 | @view_config( | |
|
|
318 | route_name='admin_permissions_auth_token_access', request_method='GET', | |
|
|
319 | renderer='rhodecode:templates/admin/permissions/permissions.mako') | |
|
|
320 | def auth_token_access(self): | |
|
|
321 | from rhodecode import CONFIG | |
|
|
322 | ||
|
|
323 | c = self.load_default_context() | |
|
|
324 | c.active = 'auth_token_access' | |
|
|
325 | ||
|
|
326 | c.user = User.get_default_user(refresh=True) | |
|
|
327 | c.perm_user = c.user.AuthUser | |
|
|
328 | ||
|
|
329 | mapper = self.request.registry.queryUtility(IRoutesMapper) | |
|
|
330 | c.view_data = [] | |
|
|
331 | ||
|
|
332 | _argument_prog = re.compile('\{(.*?)\}|:\((.*)\)') | |
|
|
333 | introspector = self.request.registry.introspector | |
|
|
334 | ||
|
|
335 | view_intr = {} | |
|
|
336 | for view_data in introspector.get_category('views'): | |
|
|
337 | intr = view_data['introspectable'] | |
|
|
338 | ||
|
|
339 | if 'route_name' in intr and intr['attr']: | |
|
|
340 | view_intr[intr['route_name']] = '{}.{}'.format( | |
|
|
341 | str(intr['derived_callable'].func_name), intr['attr'] | |
|
|
342 | ) | |
|
|
343 | ||
|
|
344 | c.whitelist_key = 'api_access_controllers_whitelist' | |
|
|
345 | c.whitelist_file = CONFIG.get('__file__') | |
|
|
346 | whitelist_views = aslist( | |
|
|
347 | CONFIG.get(c.whitelist_key), sep=',') | |
|
|
348 | ||
|
|
349 | for route_info in mapper.get_routes(): | |
|
|
350 | if not route_info.name.startswith('__'): | |
|
|
351 | routepath = route_info.pattern | |
|
|
352 | ||
|
|
353 | def replace(matchobj): | |
|
|
354 | if matchobj.group(1): | |
|
|
355 | return "{%s}" % matchobj.group(1).split(':')[0] | |
|
|
356 | else: | |
|
|
357 | return "{%s}" % matchobj.group(2) | |
|
|
358 | ||
|
|
359 | routepath = _argument_prog.sub(replace, routepath) | |
|
|
360 | ||
|
|
361 | if not routepath.startswith('/'): | |
|
|
362 | routepath = '/' + routepath | |
|
|
363 | ||
|
|
364 | view_fqn = view_intr.get(route_info.name, 'NOT AVAILABLE') | |
|
|
365 | active = view_fqn in whitelist_views | |
|
|
366 | c.view_data.append((route_info.name, view_fqn, routepath, active)) | |
|
|
367 | ||
|
|
368 | c.whitelist_views = whitelist_views | |
|
|
369 | return self._get_template_context(c) | |
| @@ -71,6 +71,7 b' function registerRCRoutes() {' | |||
|
|
71 | 71 | pyroutes.register('admin_permissions_object_update', '/_admin/permissions/object/update', []); |
|
|
72 | 72 | pyroutes.register('admin_permissions_ips', '/_admin/permissions/ips', []); |
|
|
73 | 73 | pyroutes.register('admin_permissions_overview', '/_admin/permissions/overview', []); |
|
|
74 | pyroutes.register('admin_permissions_auth_token_access', '/_admin/permissions/auth_token_access', []); | |
|
|
74 | 75 | pyroutes.register('users', '/_admin/users', []); |
|
|
75 | 76 | pyroutes.register('users_data', '/_admin/users_data', []); |
|
|
76 | 77 | pyroutes.register('edit_user_auth_tokens', '/_admin/users/%(user_id)s/edit/auth_tokens', ['user_id']); |
| @@ -176,7 +177,7 b' function registerRCRoutes() {' | |||
|
|
176 | 177 | pyroutes.register('my_account_edit', '/_admin/my_account/edit', []); |
|
|
177 | 178 | pyroutes.register('my_account_update', '/_admin/my_account/update', []); |
|
|
178 | 179 | pyroutes.register('my_account_password', '/_admin/my_account/password', []); |
|
|
179 | pyroutes.register('my_account_password_update', '/_admin/my_account/password', []); | |
|
|
180 | pyroutes.register('my_account_password_update', '/_admin/my_account/password/update', []); | |
|
|
180 | 181 | pyroutes.register('my_account_auth_tokens', '/_admin/my_account/auth_tokens', []); |
|
|
181 | 182 | pyroutes.register('my_account_auth_tokens_add', '/_admin/my_account/auth_tokens/new', []); |
|
|
182 | 183 | pyroutes.register('my_account_auth_tokens_delete', '/_admin/my_account/auth_tokens/delete', []); |
| @@ -41,6 +41,9 b'' | |||
|
|
41 | 41 | <li class="${'active' if c.active=='ips' else ''}"> |
|
|
42 | 42 | <a href="${h.route_path('admin_permissions_ips')}">${_('IP Whitelist')}</a> |
|
|
43 | 43 | </li> |
|
|
44 | <li class="${'active' if c.active=='auth_token_access' else ''}"> | |
|
|
45 | <a href="${h.route_path('admin_permissions_auth_token_access')}">${_('AuthToken Access')}</a> | |
|
|
46 | </li> | |
|
|
44 | 47 | <li class="${'active' if c.active=='perms' else ''}"> |
|
|
45 | 48 | <a href="${h.route_path('admin_permissions_overview')}">${_('Overview')}</a> |
|
|
46 | 49 | </li> |
General Comments 0
You need to be logged in to leave comments.
Login now