##// END OF EJS Templates
rhodecode-enterprise-ce
RSS
branch permissions: fixed a case of showing branch permissions entries when inheritation model is used....
dan -
r3154:ea307128 default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,2355 +1,2356 b''
1 # -*- coding: utf-8 -*-
1 # -*- coding: utf-8 -*-
2
2
3 # Copyright (C) 2010-2018 RhodeCode GmbH
3 # Copyright (C) 2010-2018 RhodeCode GmbH
4 #
4 #
5 # This program is free software: you can redistribute it and/or modify
5 # This program is free software: you can redistribute it and/or modify
6 # it under the terms of the GNU Affero General Public License, version 3
6 # it under the terms of the GNU Affero General Public License, version 3
7 # (only), as published by the Free Software Foundation.
7 # (only), as published by the Free Software Foundation.
8 #
8 #
9 # This program is distributed in the hope that it will be useful,
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU General Public License for more details.
12 # GNU General Public License for more details.
13 #
13 #
14 # You should have received a copy of the GNU Affero General Public License
14 # You should have received a copy of the GNU Affero General Public License
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
16 #
16 #
17 # This program is dual-licensed. If you wish to learn more about the
17 # This program is dual-licensed. If you wish to learn more about the
18 # RhodeCode Enterprise Edition, including its added features, Support services,
18 # RhodeCode Enterprise Edition, including its added features, Support services,
19 # and proprietary license terms, please see https://rhodecode.com/licenses/
19 # and proprietary license terms, please see https://rhodecode.com/licenses/
20
20
21 """
21 """
22 authentication and permission libraries
22 authentication and permission libraries
23 """
23 """
24
24
25 import os
25 import os
26 import time
26 import time
27 import inspect
27 import inspect
28 import collections
28 import collections
29 import fnmatch
29 import fnmatch
30 import hashlib
30 import hashlib
31 import itertools
31 import itertools
32 import logging
32 import logging
33 import random
33 import random
34 import traceback
34 import traceback
35 from functools import wraps
35 from functools import wraps
36
36
37 import ipaddress
37 import ipaddress
38
38
39 from pyramid.httpexceptions import HTTPForbidden, HTTPFound, HTTPNotFound
39 from pyramid.httpexceptions import HTTPForbidden, HTTPFound, HTTPNotFound
40 from sqlalchemy.orm.exc import ObjectDeletedError
40 from sqlalchemy.orm.exc import ObjectDeletedError
41 from sqlalchemy.orm import joinedload
41 from sqlalchemy.orm import joinedload
42 from zope.cachedescriptors.property import Lazy as LazyProperty
42 from zope.cachedescriptors.property import Lazy as LazyProperty
43
43
44 import rhodecode
44 import rhodecode
45 from rhodecode.model import meta
45 from rhodecode.model import meta
46 from rhodecode.model.meta import Session
46 from rhodecode.model.meta import Session
47 from rhodecode.model.user import UserModel
47 from rhodecode.model.user import UserModel
48 from rhodecode.model.db import (
48 from rhodecode.model.db import (
49 User, Repository, Permission, UserToPerm, UserGroupToPerm, UserGroupMember,
49 User, Repository, Permission, UserToPerm, UserGroupToPerm, UserGroupMember,
50 UserIpMap, UserApiKeys, RepoGroup, UserGroup)
50 UserIpMap, UserApiKeys, RepoGroup, UserGroup)
51 from rhodecode.lib import rc_cache
51 from rhodecode.lib import rc_cache
52 from rhodecode.lib.utils2 import safe_unicode, aslist, safe_str, md5, safe_int, sha1
52 from rhodecode.lib.utils2 import safe_unicode, aslist, safe_str, md5, safe_int, sha1
53 from rhodecode.lib.utils import (
53 from rhodecode.lib.utils import (
54 get_repo_slug, get_repo_group_slug, get_user_group_slug)
54 get_repo_slug, get_repo_group_slug, get_user_group_slug)
55 from rhodecode.lib.caching_query import FromCache
55 from rhodecode.lib.caching_query import FromCache
56
56
57
57
58 if rhodecode.is_unix:
58 if rhodecode.is_unix:
59 import bcrypt
59 import bcrypt
60
60
61 log = logging.getLogger(__name__)
61 log = logging.getLogger(__name__)
62
62
63 csrf_token_key = "csrf_token"
63 csrf_token_key = "csrf_token"
64
64
65
65
66 class PasswordGenerator(object):
66 class PasswordGenerator(object):
67 """
67 """
68 This is a simple class for generating password from different sets of
68 This is a simple class for generating password from different sets of
69 characters
69 characters
70 usage::
70 usage::
71
72 passwd_gen = PasswordGenerator()
71 passwd_gen = PasswordGenerator()
73 #print 8-letter password containing only big and small letters
72 #print 8-letter password containing only big and small letters
74 of alphabet
73 of alphabet
75 passwd_gen.gen_password(8, passwd_gen.ALPHABETS_BIG_SMALL)
74 passwd_gen.gen_password(8, passwd_gen.ALPHABETS_BIG_SMALL)
76 """
75 """
77 ALPHABETS_NUM = r'''1234567890'''
76 ALPHABETS_NUM = r'''1234567890'''
78 ALPHABETS_SMALL = r'''qwertyuiopasdfghjklzxcvbnm'''
77 ALPHABETS_SMALL = r'''qwertyuiopasdfghjklzxcvbnm'''
79 ALPHABETS_BIG = r'''QWERTYUIOPASDFGHJKLZXCVBNM'''
78 ALPHABETS_BIG = r'''QWERTYUIOPASDFGHJKLZXCVBNM'''
80 ALPHABETS_SPECIAL = r'''`-=[]\;',./~!@#$%^&*()_+{}|:"<>?'''
79 ALPHABETS_SPECIAL = r'''`-=[]\;',./~!@#$%^&*()_+{}|:"<>?'''
81 ALPHABETS_FULL = ALPHABETS_BIG + ALPHABETS_SMALL \
80 ALPHABETS_FULL = ALPHABETS_BIG + ALPHABETS_SMALL \
82 + ALPHABETS_NUM + ALPHABETS_SPECIAL
81 + ALPHABETS_NUM + ALPHABETS_SPECIAL
83 ALPHABETS_ALPHANUM = ALPHABETS_BIG + ALPHABETS_SMALL + ALPHABETS_NUM
82 ALPHABETS_ALPHANUM = ALPHABETS_BIG + ALPHABETS_SMALL + ALPHABETS_NUM
84 ALPHABETS_BIG_SMALL = ALPHABETS_BIG + ALPHABETS_SMALL
83 ALPHABETS_BIG_SMALL = ALPHABETS_BIG + ALPHABETS_SMALL
85 ALPHABETS_ALPHANUM_BIG = ALPHABETS_BIG + ALPHABETS_NUM
84 ALPHABETS_ALPHANUM_BIG = ALPHABETS_BIG + ALPHABETS_NUM
86 ALPHABETS_ALPHANUM_SMALL = ALPHABETS_SMALL + ALPHABETS_NUM
85 ALPHABETS_ALPHANUM_SMALL = ALPHABETS_SMALL + ALPHABETS_NUM
87
86
88 def __init__(self, passwd=''):
87 def __init__(self, passwd=''):
89 self.passwd = passwd
88 self.passwd = passwd
90
89
91 def gen_password(self, length, type_=None):
90 def gen_password(self, length, type_=None):
92 if type_ is None:
91 if type_ is None:
93 type_ = self.ALPHABETS_FULL
92 type_ = self.ALPHABETS_FULL
94 self.passwd = ''.join([random.choice(type_) for _ in range(length)])
93 self.passwd = ''.join([random.choice(type_) for _ in range(length)])
95 return self.passwd
94 return self.passwd
96
95
97
96
98 class _RhodeCodeCryptoBase(object):
97 class _RhodeCodeCryptoBase(object):
99 ENC_PREF = None
98 ENC_PREF = None
100
99
101 def hash_create(self, str_):
100 def hash_create(self, str_):
102 """
101 """
103 hash the string using
102 hash the string using
104
103
105 :param str_: password to hash
104 :param str_: password to hash
106 """
105 """
107 raise NotImplementedError
106 raise NotImplementedError
108
107
109 def hash_check_with_upgrade(self, password, hashed):
108 def hash_check_with_upgrade(self, password, hashed):
110 """
109 """
111 Returns tuple in which first element is boolean that states that
110 Returns tuple in which first element is boolean that states that
112 given password matches it's hashed version, and the second is new hash
111 given password matches it's hashed version, and the second is new hash
113 of the password, in case this password should be migrated to new
112 of the password, in case this password should be migrated to new
114 cipher.
113 cipher.
115 """
114 """
116 checked_hash = self.hash_check(password, hashed)
115 checked_hash = self.hash_check(password, hashed)
117 return checked_hash, None
116 return checked_hash, None
118
117
119 def hash_check(self, password, hashed):
118 def hash_check(self, password, hashed):
120 """
119 """
121 Checks matching password with it's hashed value.
120 Checks matching password with it's hashed value.
122
121
123 :param password: password
122 :param password: password
124 :param hashed: password in hashed form
123 :param hashed: password in hashed form
125 """
124 """
126 raise NotImplementedError
125 raise NotImplementedError
127
126
128 def _assert_bytes(self, value):
127 def _assert_bytes(self, value):
129 """
128 """
130 Passing in an `unicode` object can lead to hard to detect issues
129 Passing in an `unicode` object can lead to hard to detect issues
131 if passwords contain non-ascii characters. Doing a type check
130 if passwords contain non-ascii characters. Doing a type check
132 during runtime, so that such mistakes are detected early on.
131 during runtime, so that such mistakes are detected early on.
133 """
132 """
134 if not isinstance(value, str):
133 if not isinstance(value, str):
135 raise TypeError(
134 raise TypeError(
136 "Bytestring required as input, got %r." % (value, ))
135 "Bytestring required as input, got %r." % (value, ))
137
136
138
137
139 class _RhodeCodeCryptoBCrypt(_RhodeCodeCryptoBase):
138 class _RhodeCodeCryptoBCrypt(_RhodeCodeCryptoBase):
140 ENC_PREF = ('$2a$10', '$2b$10')
139 ENC_PREF = ('$2a$10', '$2b$10')
141
140
142 def hash_create(self, str_):
141 def hash_create(self, str_):
143 self._assert_bytes(str_)
142 self._assert_bytes(str_)
144 return bcrypt.hashpw(str_, bcrypt.gensalt(10))
143 return bcrypt.hashpw(str_, bcrypt.gensalt(10))
145
144
146 def hash_check_with_upgrade(self, password, hashed):
145 def hash_check_with_upgrade(self, password, hashed):
147 """
146 """
148 Returns tuple in which first element is boolean that states that
147 Returns tuple in which first element is boolean that states that
149 given password matches it's hashed version, and the second is new hash
148 given password matches it's hashed version, and the second is new hash
150 of the password, in case this password should be migrated to new
149 of the password, in case this password should be migrated to new
151 cipher.
150 cipher.
152
151
153 This implements special upgrade logic which works like that:
152 This implements special upgrade logic which works like that:
154 - check if the given password == bcrypted hash, if yes then we
153 - check if the given password == bcrypted hash, if yes then we
155 properly used password and it was already in bcrypt. Proceed
154 properly used password and it was already in bcrypt. Proceed
156 without any changes
155 without any changes
157 - if bcrypt hash check is not working try with sha256. If hash compare
156 - if bcrypt hash check is not working try with sha256. If hash compare
158 is ok, it means we using correct but old hashed password. indicate
157 is ok, it means we using correct but old hashed password. indicate
159 hash change and proceed
158 hash change and proceed
160 """
159 """
161
160
162 new_hash = None
161 new_hash = None
163
162
164 # regular pw check
163 # regular pw check
165 password_match_bcrypt = self.hash_check(password, hashed)
164 password_match_bcrypt = self.hash_check(password, hashed)
166
165
167 # now we want to know if the password was maybe from sha256
166 # now we want to know if the password was maybe from sha256
168 # basically calling _RhodeCodeCryptoSha256().hash_check()
167 # basically calling _RhodeCodeCryptoSha256().hash_check()
169 if not password_match_bcrypt:
168 if not password_match_bcrypt:
170 if _RhodeCodeCryptoSha256().hash_check(password, hashed):
169 if _RhodeCodeCryptoSha256().hash_check(password, hashed):
171 new_hash = self.hash_create(password) # make new bcrypt hash
170 new_hash = self.hash_create(password) # make new bcrypt hash
172 password_match_bcrypt = True
171 password_match_bcrypt = True
173
172
174 return password_match_bcrypt, new_hash
173 return password_match_bcrypt, new_hash
175
174
176 def hash_check(self, password, hashed):
175 def hash_check(self, password, hashed):
177 """
176 """
178 Checks matching password with it's hashed value.
177 Checks matching password with it's hashed value.
179
178
180 :param password: password
179 :param password: password
181 :param hashed: password in hashed form
180 :param hashed: password in hashed form
182 """
181 """
183 self._assert_bytes(password)
182 self._assert_bytes(password)
184 try:
183 try:
185 return bcrypt.hashpw(password, hashed) == hashed
184 return bcrypt.hashpw(password, hashed) == hashed
186 except ValueError as e:
185 except ValueError as e:
187 # we're having a invalid salt here probably, we should not crash
186 # we're having a invalid salt here probably, we should not crash
188 # just return with False as it would be a wrong password.
187 # just return with False as it would be a wrong password.
189 log.debug('Failed to check password hash using bcrypt %s',
188 log.debug('Failed to check password hash using bcrypt %s',
190 safe_str(e))
189 safe_str(e))
191
190
192 return False
191 return False
193
192
194
193
195 class _RhodeCodeCryptoSha256(_RhodeCodeCryptoBase):
194 class _RhodeCodeCryptoSha256(_RhodeCodeCryptoBase):
196 ENC_PREF = '_'
195 ENC_PREF = '_'
197
196
198 def hash_create(self, str_):
197 def hash_create(self, str_):
199 self._assert_bytes(str_)
198 self._assert_bytes(str_)
200 return hashlib.sha256(str_).hexdigest()
199 return hashlib.sha256(str_).hexdigest()
201
200
202 def hash_check(self, password, hashed):
201 def hash_check(self, password, hashed):
203 """
202 """
204 Checks matching password with it's hashed value.
203 Checks matching password with it's hashed value.
205
204
206 :param password: password
205 :param password: password
207 :param hashed: password in hashed form
206 :param hashed: password in hashed form
208 """
207 """
209 self._assert_bytes(password)
208 self._assert_bytes(password)
210 return hashlib.sha256(password).hexdigest() == hashed
209 return hashlib.sha256(password).hexdigest() == hashed
211
210
212
211
213 class _RhodeCodeCryptoTest(_RhodeCodeCryptoBase):
212 class _RhodeCodeCryptoTest(_RhodeCodeCryptoBase):
214 ENC_PREF = '_'
213 ENC_PREF = '_'
215
214
216 def hash_create(self, str_):
215 def hash_create(self, str_):
217 self._assert_bytes(str_)
216 self._assert_bytes(str_)
218 return sha1(str_)
217 return sha1(str_)
219
218
220 def hash_check(self, password, hashed):
219 def hash_check(self, password, hashed):
221 """
220 """
222 Checks matching password with it's hashed value.
221 Checks matching password with it's hashed value.
223
222
224 :param password: password
223 :param password: password
225 :param hashed: password in hashed form
224 :param hashed: password in hashed form
226 """
225 """
227 self._assert_bytes(password)
226 self._assert_bytes(password)
228 return sha1(password) == hashed
227 return sha1(password) == hashed
229
228
230
229
231 def crypto_backend():
230 def crypto_backend():
232 """
231 """
233 Return the matching crypto backend.
232 Return the matching crypto backend.
234
233
235 Selection is based on if we run tests or not, we pick sha1-test backend to run
234 Selection is based on if we run tests or not, we pick sha1-test backend to run
236 tests faster since BCRYPT is expensive to calculate
235 tests faster since BCRYPT is expensive to calculate
237 """
236 """
238 if rhodecode.is_test:
237 if rhodecode.is_test:
239 RhodeCodeCrypto = _RhodeCodeCryptoTest()
238 RhodeCodeCrypto = _RhodeCodeCryptoTest()
240 else:
239 else:
241 RhodeCodeCrypto = _RhodeCodeCryptoBCrypt()
240 RhodeCodeCrypto = _RhodeCodeCryptoBCrypt()
242
241
243 return RhodeCodeCrypto
242 return RhodeCodeCrypto
244
243
245
244
246 def get_crypt_password(password):
245 def get_crypt_password(password):
247 """
246 """
248 Create the hash of `password` with the active crypto backend.
247 Create the hash of `password` with the active crypto backend.
249
248
250 :param password: The cleartext password.
249 :param password: The cleartext password.
251 :type password: unicode
250 :type password: unicode
252 """
251 """
253 password = safe_str(password)
252 password = safe_str(password)
254 return crypto_backend().hash_create(password)
253 return crypto_backend().hash_create(password)
255
254
256
255
257 def check_password(password, hashed):
256 def check_password(password, hashed):
258 """
257 """
259 Check if the value in `password` matches the hash in `hashed`.
258 Check if the value in `password` matches the hash in `hashed`.
260
259
261 :param password: The cleartext password.
260 :param password: The cleartext password.
262 :type password: unicode
261 :type password: unicode
263
262
264 :param hashed: The expected hashed version of the password.
263 :param hashed: The expected hashed version of the password.
265 :type hashed: The hash has to be passed in in text representation.
264 :type hashed: The hash has to be passed in in text representation.
266 """
265 """
267 password = safe_str(password)
266 password = safe_str(password)
268 return crypto_backend().hash_check(password, hashed)
267 return crypto_backend().hash_check(password, hashed)
269
268
270
269
271 def generate_auth_token(data, salt=None):
270 def generate_auth_token(data, salt=None):
272 """
271 """
273 Generates API KEY from given string
272 Generates API KEY from given string
274 """
273 """
275
274
276 if salt is None:
275 if salt is None:
277 salt = os.urandom(16)
276 salt = os.urandom(16)
278 return hashlib.sha1(safe_str(data) + salt).hexdigest()
277 return hashlib.sha1(safe_str(data) + salt).hexdigest()
279
278
280
279
281 def get_came_from(request):
280 def get_came_from(request):
282 """
281 """
283 get query_string+path from request sanitized after removing auth_token
282 get query_string+path from request sanitized after removing auth_token
284 """
283 """
285 _req = request
284 _req = request
286
285
287 path = _req.path
286 path = _req.path
288 if 'auth_token' in _req.GET:
287 if 'auth_token' in _req.GET:
289 # sanitize the request and remove auth_token for redirection
288 # sanitize the request and remove auth_token for redirection
290 _req.GET.pop('auth_token')
289 _req.GET.pop('auth_token')
291 qs = _req.query_string
290 qs = _req.query_string
292 if qs:
291 if qs:
293 path += '?' + qs
292 path += '?' + qs
294
293
295 return path
294 return path
296
295
297
296
298 class CookieStoreWrapper(object):
297 class CookieStoreWrapper(object):
299
298
300 def __init__(self, cookie_store):
299 def __init__(self, cookie_store):
301 self.cookie_store = cookie_store
300 self.cookie_store = cookie_store
302
301
303 def __repr__(self):
302 def __repr__(self):
304 return 'CookieStore<%s>' % (self.cookie_store)
303 return 'CookieStore<%s>' % (self.cookie_store)
305
304
306 def get(self, key, other=None):
305 def get(self, key, other=None):
307 if isinstance(self.cookie_store, dict):
306 if isinstance(self.cookie_store, dict):
308 return self.cookie_store.get(key, other)
307 return self.cookie_store.get(key, other)
309 elif isinstance(self.cookie_store, AuthUser):
308 elif isinstance(self.cookie_store, AuthUser):
310 return self.cookie_store.__dict__.get(key, other)
309 return self.cookie_store.__dict__.get(key, other)
311
310
312
311
313 def _cached_perms_data(user_id, scope, user_is_admin,
312 def _cached_perms_data(user_id, scope, user_is_admin,
314 user_inherit_default_permissions, explicit, algo,
313 user_inherit_default_permissions, explicit, algo,
315 calculate_super_admin):
314 calculate_super_admin):
316
315
317 permissions = PermissionCalculator(
316 permissions = PermissionCalculator(
318 user_id, scope, user_is_admin, user_inherit_default_permissions,
317 user_id, scope, user_is_admin, user_inherit_default_permissions,
319 explicit, algo, calculate_super_admin)
318 explicit, algo, calculate_super_admin)
320 return permissions.calculate()
319 return permissions.calculate()
321
320
322
321
323 class PermOrigin(object):
322 class PermOrigin(object):
324 SUPER_ADMIN = 'superadmin'
323 SUPER_ADMIN = 'superadmin'
325 ARCHIVED = 'archived'
324 ARCHIVED = 'archived'
326
325
327 REPO_USER = 'user:%s'
326 REPO_USER = 'user:%s'
328 REPO_USERGROUP = 'usergroup:%s'
327 REPO_USERGROUP = 'usergroup:%s'
329 REPO_OWNER = 'repo.owner'
328 REPO_OWNER = 'repo.owner'
330 REPO_DEFAULT = 'repo.default'
329 REPO_DEFAULT = 'repo.default'
331 REPO_DEFAULT_NO_INHERIT = 'repo.default.no.inherit'
330 REPO_DEFAULT_NO_INHERIT = 'repo.default.no.inherit'
332 REPO_PRIVATE = 'repo.private'
331 REPO_PRIVATE = 'repo.private'
333
332
334 REPOGROUP_USER = 'user:%s'
333 REPOGROUP_USER = 'user:%s'
335 REPOGROUP_USERGROUP = 'usergroup:%s'
334 REPOGROUP_USERGROUP = 'usergroup:%s'
336 REPOGROUP_OWNER = 'group.owner'
335 REPOGROUP_OWNER = 'group.owner'
337 REPOGROUP_DEFAULT = 'group.default'
336 REPOGROUP_DEFAULT = 'group.default'
338 REPOGROUP_DEFAULT_NO_INHERIT = 'group.default.no.inherit'
337 REPOGROUP_DEFAULT_NO_INHERIT = 'group.default.no.inherit'
339
338
340 USERGROUP_USER = 'user:%s'
339 USERGROUP_USER = 'user:%s'
341 USERGROUP_USERGROUP = 'usergroup:%s'
340 USERGROUP_USERGROUP = 'usergroup:%s'
342 USERGROUP_OWNER = 'usergroup.owner'
341 USERGROUP_OWNER = 'usergroup.owner'
343 USERGROUP_DEFAULT = 'usergroup.default'
342 USERGROUP_DEFAULT = 'usergroup.default'
344 USERGROUP_DEFAULT_NO_INHERIT = 'usergroup.default.no.inherit'
343 USERGROUP_DEFAULT_NO_INHERIT = 'usergroup.default.no.inherit'
345
344
346
345
347 class PermOriginDict(dict):
346 class PermOriginDict(dict):
348 """
347 """
349 A special dict used for tracking permissions along with their origins.
348 A special dict used for tracking permissions along with their origins.
350
349
351 `__setitem__` has been overridden to expect a tuple(perm, origin)
350 `__setitem__` has been overridden to expect a tuple(perm, origin)
352 `__getitem__` will return only the perm
351 `__getitem__` will return only the perm
353 `.perm_origin_stack` will return the stack of (perm, origin) set per key
352 `.perm_origin_stack` will return the stack of (perm, origin) set per key
354
353
355 >>> perms = PermOriginDict()
354 >>> perms = PermOriginDict()
356 >>> perms['resource'] = 'read', 'default'
355 >>> perms['resource'] = 'read', 'default'
357 >>> perms['resource']
356 >>> perms['resource']
358 'read'
357 'read'
359 >>> perms['resource'] = 'write', 'admin'
358 >>> perms['resource'] = 'write', 'admin'
360 >>> perms['resource']
359 >>> perms['resource']
361 'write'
360 'write'
362 >>> perms.perm_origin_stack
361 >>> perms.perm_origin_stack
363 {'resource': [('read', 'default'), ('write', 'admin')]}
362 {'resource': [('read', 'default'), ('write', 'admin')]}
364 """
363 """
365
364
366 def __init__(self, *args, **kw):
365 def __init__(self, *args, **kw):
367 dict.__init__(self, *args, **kw)
366 dict.__init__(self, *args, **kw)
368 self.perm_origin_stack = collections.OrderedDict()
367 self.perm_origin_stack = collections.OrderedDict()
369
368
370 def __setitem__(self, key, (perm, origin)):
369 def __setitem__(self, key, (perm, origin)):
371 self.perm_origin_stack.setdefault(key, []).append(
370 self.perm_origin_stack.setdefault(key, []).append(
372 (perm, origin))
371 (perm, origin))
373 dict.__setitem__(self, key, perm)
372 dict.__setitem__(self, key, perm)
374
373
375
374
376 class BranchPermOriginDict(PermOriginDict):
375 class BranchPermOriginDict(PermOriginDict):
377 """
376 """
378 Dedicated branch permissions dict, with tracking of patterns and origins.
377 Dedicated branch permissions dict, with tracking of patterns and origins.
379
378
380 >>> perms = BranchPermOriginDict()
379 >>> perms = BranchPermOriginDict()
381 >>> perms['resource'] = '*pattern', 'read', 'default'
380 >>> perms['resource'] = '*pattern', 'read', 'default'
382 >>> perms['resource']
381 >>> perms['resource']
383 {'*pattern': 'read'}
382 {'*pattern': 'read'}
384 >>> perms['resource'] = '*pattern', 'write', 'admin'
383 >>> perms['resource'] = '*pattern', 'write', 'admin'
385 >>> perms['resource']
384 >>> perms['resource']
386 {'*pattern': 'write'}
385 {'*pattern': 'write'}
387 >>> perms.perm_origin_stack
386 >>> perms.perm_origin_stack
388 {'resource': {'*pattern': [('read', 'default'), ('write', 'admin')]}}
387 {'resource': {'*pattern': [('read', 'default'), ('write', 'admin')]}}
389 """
388 """
390 def __setitem__(self, key, (pattern, perm, origin)):
389 def __setitem__(self, key, (pattern, perm, origin)):
391
390
392 self.perm_origin_stack.setdefault(key, {}) \
391 self.perm_origin_stack.setdefault(key, {}) \
393 .setdefault(pattern, []).append((perm, origin))
392 .setdefault(pattern, []).append((perm, origin))
394
393
395 if key in self:
394 if key in self:
396 self[key].__setitem__(pattern, perm)
395 self[key].__setitem__(pattern, perm)
397 else:
396 else:
398 patterns = collections.OrderedDict()
397 patterns = collections.OrderedDict()
399 patterns[pattern] = perm
398 patterns[pattern] = perm
400 dict.__setitem__(self, key, patterns)
399 dict.__setitem__(self, key, patterns)
401
400
402
401
403 class PermissionCalculator(object):
402 class PermissionCalculator(object):
404
403
405 def __init__(
404 def __init__(
406 self, user_id, scope, user_is_admin,
405 self, user_id, scope, user_is_admin,
407 user_inherit_default_permissions, explicit, algo,
406 user_inherit_default_permissions, explicit, algo,
408 calculate_super_admin_as_user=False):
407 calculate_super_admin_as_user=False):
409
408
410 self.user_id = user_id
409 self.user_id = user_id
411 self.user_is_admin = user_is_admin
410 self.user_is_admin = user_is_admin
412 self.inherit_default_permissions = user_inherit_default_permissions
411 self.inherit_default_permissions = user_inherit_default_permissions
413 self.explicit = explicit
412 self.explicit = explicit
414 self.algo = algo
413 self.algo = algo
415 self.calculate_super_admin_as_user = calculate_super_admin_as_user
414 self.calculate_super_admin_as_user = calculate_super_admin_as_user
416
415
417 scope = scope or {}
416 scope = scope or {}
418 self.scope_repo_id = scope.get('repo_id')
417 self.scope_repo_id = scope.get('repo_id')
419 self.scope_repo_group_id = scope.get('repo_group_id')
418 self.scope_repo_group_id = scope.get('repo_group_id')
420 self.scope_user_group_id = scope.get('user_group_id')
419 self.scope_user_group_id = scope.get('user_group_id')
421
420
422 self.default_user_id = User.get_default_user(cache=True).user_id
421 self.default_user_id = User.get_default_user(cache=True).user_id
423
422
424 self.permissions_repositories = PermOriginDict()
423 self.permissions_repositories = PermOriginDict()
425 self.permissions_repository_groups = PermOriginDict()
424 self.permissions_repository_groups = PermOriginDict()
426 self.permissions_user_groups = PermOriginDict()
425 self.permissions_user_groups = PermOriginDict()
427 self.permissions_repository_branches = BranchPermOriginDict()
426 self.permissions_repository_branches = BranchPermOriginDict()
428 self.permissions_global = set()
427 self.permissions_global = set()
429
428
430 self.default_repo_perms = Permission.get_default_repo_perms(
429 self.default_repo_perms = Permission.get_default_repo_perms(
431 self.default_user_id, self.scope_repo_id)
430 self.default_user_id, self.scope_repo_id)
432 self.default_repo_groups_perms = Permission.get_default_group_perms(
431 self.default_repo_groups_perms = Permission.get_default_group_perms(
433 self.default_user_id, self.scope_repo_group_id)
432 self.default_user_id, self.scope_repo_group_id)
434 self.default_user_group_perms = \
433 self.default_user_group_perms = \
435 Permission.get_default_user_group_perms(
434 Permission.get_default_user_group_perms(
436 self.default_user_id, self.scope_user_group_id)
435 self.default_user_id, self.scope_user_group_id)
437
436
438 # default branch perms
437 # default branch perms
439 self.default_branch_repo_perms = \
438 self.default_branch_repo_perms = \
440 Permission.get_default_repo_branch_perms(
439 Permission.get_default_repo_branch_perms(
441 self.default_user_id, self.scope_repo_id)
440 self.default_user_id, self.scope_repo_id)
442
441
443 def calculate(self):
442 def calculate(self):
444 if self.user_is_admin and not self.calculate_super_admin_as_user:
443 if self.user_is_admin and not self.calculate_super_admin_as_user:
445 return self._calculate_admin_permissions()
444 return self._calculate_admin_permissions()
446
445
447 self._calculate_global_default_permissions()
446 self._calculate_global_default_permissions()
448 self._calculate_global_permissions()
447 self._calculate_global_permissions()
449 self._calculate_default_permissions()
448 self._calculate_default_permissions()
450 self._calculate_repository_permissions()
449 self._calculate_repository_permissions()
451 self._calculate_repository_branch_permissions()
450 self._calculate_repository_branch_permissions()
452 self._calculate_repository_group_permissions()
451 self._calculate_repository_group_permissions()
453 self._calculate_user_group_permissions()
452 self._calculate_user_group_permissions()
454 return self._permission_structure()
453 return self._permission_structure()
455
454
456 def _calculate_admin_permissions(self):
455 def _calculate_admin_permissions(self):
457 """
456 """
458 admin user have all default rights for repositories
457 admin user have all default rights for repositories
459 and groups set to admin
458 and groups set to admin
460 """
459 """
461 self.permissions_global.add('hg.admin')
460 self.permissions_global.add('hg.admin')
462 self.permissions_global.add('hg.create.write_on_repogroup.true')
461 self.permissions_global.add('hg.create.write_on_repogroup.true')
463
462
464 # repositories
463 # repositories
465 for perm in self.default_repo_perms:
464 for perm in self.default_repo_perms:
466 r_k = perm.UserRepoToPerm.repository.repo_name
465 r_k = perm.UserRepoToPerm.repository.repo_name
467 archived = perm.UserRepoToPerm.repository.archived
466 archived = perm.UserRepoToPerm.repository.archived
468 p = 'repository.admin'
467 p = 'repository.admin'
469 self.permissions_repositories[r_k] = p, PermOrigin.SUPER_ADMIN
468 self.permissions_repositories[r_k] = p, PermOrigin.SUPER_ADMIN
470 # special case for archived repositories, which we block still even for
469 # special case for archived repositories, which we block still even for
471 # super admins
470 # super admins
472 if archived:
471 if archived:
473 p = 'repository.read'
472 p = 'repository.read'
474 self.permissions_repositories[r_k] = p, PermOrigin.ARCHIVED
473 self.permissions_repositories[r_k] = p, PermOrigin.ARCHIVED
475
474
476 # repository groups
475 # repository groups
477 for perm in self.default_repo_groups_perms:
476 for perm in self.default_repo_groups_perms:
478 rg_k = perm.UserRepoGroupToPerm.group.group_name
477 rg_k = perm.UserRepoGroupToPerm.group.group_name
479 p = 'group.admin'
478 p = 'group.admin'
480 self.permissions_repository_groups[rg_k] = p, PermOrigin.SUPER_ADMIN
479 self.permissions_repository_groups[rg_k] = p, PermOrigin.SUPER_ADMIN
481
480
482 # user groups
481 # user groups
483 for perm in self.default_user_group_perms:
482 for perm in self.default_user_group_perms:
484 u_k = perm.UserUserGroupToPerm.user_group.users_group_name
483 u_k = perm.UserUserGroupToPerm.user_group.users_group_name
485 p = 'usergroup.admin'
484 p = 'usergroup.admin'
486 self.permissions_user_groups[u_k] = p, PermOrigin.SUPER_ADMIN
485 self.permissions_user_groups[u_k] = p, PermOrigin.SUPER_ADMIN
487
486
488 # branch permissions
487 # branch permissions
489 # since super-admin also can have custom rule permissions
488 # since super-admin also can have custom rule permissions
490 # we *always* need to calculate those inherited from default, and also explicit
489 # we *always* need to calculate those inherited from default, and also explicit
491 self._calculate_default_permissions_repository_branches(
490 self._calculate_default_permissions_repository_branches(
492 user_inherit_object_permissions=False)
491 user_inherit_object_permissions=False)
493 self._calculate_repository_branch_permissions()
492 self._calculate_repository_branch_permissions()
494
493
495 return self._permission_structure()
494 return self._permission_structure()
496
495
497 def _calculate_global_default_permissions(self):
496 def _calculate_global_default_permissions(self):
498 """
497 """
499 global permissions taken from the default user
498 global permissions taken from the default user
500 """
499 """
501 default_global_perms = UserToPerm.query()\
500 default_global_perms = UserToPerm.query()\
502 .filter(UserToPerm.user_id == self.default_user_id)\
501 .filter(UserToPerm.user_id == self.default_user_id)\
503 .options(joinedload(UserToPerm.permission))
502 .options(joinedload(UserToPerm.permission))
504
503
505 for perm in default_global_perms:
504 for perm in default_global_perms:
506 self.permissions_global.add(perm.permission.permission_name)
505 self.permissions_global.add(perm.permission.permission_name)
507
506
508 if self.user_is_admin:
507 if self.user_is_admin:
509 self.permissions_global.add('hg.admin')
508 self.permissions_global.add('hg.admin')
510 self.permissions_global.add('hg.create.write_on_repogroup.true')
509 self.permissions_global.add('hg.create.write_on_repogroup.true')
511
510
512 def _calculate_global_permissions(self):
511 def _calculate_global_permissions(self):
513 """
512 """
514 Set global system permissions with user permissions or permissions
513 Set global system permissions with user permissions or permissions
515 taken from the user groups of the current user.
514 taken from the user groups of the current user.
516
515
517 The permissions include repo creating, repo group creating, forking
516 The permissions include repo creating, repo group creating, forking
518 etc.
517 etc.
519 """
518 """
520
519
521 # now we read the defined permissions and overwrite what we have set
520 # now we read the defined permissions and overwrite what we have set
522 # before those can be configured from groups or users explicitly.
521 # before those can be configured from groups or users explicitly.
523
522
524 # In case we want to extend this list we should make sure
523 # In case we want to extend this list we should make sure
525 # this is in sync with User.DEFAULT_USER_PERMISSIONS definitions
524 # this is in sync with User.DEFAULT_USER_PERMISSIONS definitions
526 _configurable = frozenset([
525 _configurable = frozenset([
527 'hg.fork.none', 'hg.fork.repository',
526 'hg.fork.none', 'hg.fork.repository',
528 'hg.create.none', 'hg.create.repository',
527 'hg.create.none', 'hg.create.repository',
529 'hg.usergroup.create.false', 'hg.usergroup.create.true',
528 'hg.usergroup.create.false', 'hg.usergroup.create.true',
530 'hg.repogroup.create.false', 'hg.repogroup.create.true',
529 'hg.repogroup.create.false', 'hg.repogroup.create.true',
531 'hg.create.write_on_repogroup.false', 'hg.create.write_on_repogroup.true',
530 'hg.create.write_on_repogroup.false', 'hg.create.write_on_repogroup.true',
532 'hg.inherit_default_perms.false', 'hg.inherit_default_perms.true'
531 'hg.inherit_default_perms.false', 'hg.inherit_default_perms.true'
533 ])
532 ])
534
533
535 # USER GROUPS comes first user group global permissions
534 # USER GROUPS comes first user group global permissions
536 user_perms_from_users_groups = Session().query(UserGroupToPerm)\
535 user_perms_from_users_groups = Session().query(UserGroupToPerm)\
537 .options(joinedload(UserGroupToPerm.permission))\
536 .options(joinedload(UserGroupToPerm.permission))\
538 .join((UserGroupMember, UserGroupToPerm.users_group_id ==
537 .join((UserGroupMember, UserGroupToPerm.users_group_id ==
539 UserGroupMember.users_group_id))\
538 UserGroupMember.users_group_id))\
540 .filter(UserGroupMember.user_id == self.user_id)\
539 .filter(UserGroupMember.user_id == self.user_id)\
541 .order_by(UserGroupToPerm.users_group_id)\
540 .order_by(UserGroupToPerm.users_group_id)\
542 .all()
541 .all()
543
542
544 # need to group here by groups since user can be in more than
543 # need to group here by groups since user can be in more than
545 # one group, so we get all groups
544 # one group, so we get all groups
546 _explicit_grouped_perms = [
545 _explicit_grouped_perms = [
547 [x, list(y)] for x, y in
546 [x, list(y)] for x, y in
548 itertools.groupby(user_perms_from_users_groups,
547 itertools.groupby(user_perms_from_users_groups,
549 lambda _x: _x.users_group)]
548 lambda _x: _x.users_group)]
550
549
551 for gr, perms in _explicit_grouped_perms:
550 for gr, perms in _explicit_grouped_perms:
552 # since user can be in multiple groups iterate over them and
551 # since user can be in multiple groups iterate over them and
553 # select the lowest permissions first (more explicit)
552 # select the lowest permissions first (more explicit)
554 # TODO(marcink): do this^^
553 # TODO(marcink): do this^^
555
554
556 # group doesn't inherit default permissions so we actually set them
555 # group doesn't inherit default permissions so we actually set them
557 if not gr.inherit_default_permissions:
556 if not gr.inherit_default_permissions:
558 # NEED TO IGNORE all previously set configurable permissions
557 # NEED TO IGNORE all previously set configurable permissions
559 # and replace them with explicitly set from this user
558 # and replace them with explicitly set from this user
560 # group permissions
559 # group permissions
561 self.permissions_global = self.permissions_global.difference(
560 self.permissions_global = self.permissions_global.difference(
562 _configurable)
561 _configurable)
563 for perm in perms:
562 for perm in perms:
564 self.permissions_global.add(perm.permission.permission_name)
563 self.permissions_global.add(perm.permission.permission_name)
565
564
566 # user explicit global permissions
565 # user explicit global permissions
567 user_perms = Session().query(UserToPerm)\
566 user_perms = Session().query(UserToPerm)\
568 .options(joinedload(UserToPerm.permission))\
567 .options(joinedload(UserToPerm.permission))\
569 .filter(UserToPerm.user_id == self.user_id).all()
568 .filter(UserToPerm.user_id == self.user_id).all()
570
569
571 if not self.inherit_default_permissions:
570 if not self.inherit_default_permissions:
572 # NEED TO IGNORE all configurable permissions and
571 # NEED TO IGNORE all configurable permissions and
573 # replace them with explicitly set from this user permissions
572 # replace them with explicitly set from this user permissions
574 self.permissions_global = self.permissions_global.difference(
573 self.permissions_global = self.permissions_global.difference(
575 _configurable)
574 _configurable)
576 for perm in user_perms:
575 for perm in user_perms:
577 self.permissions_global.add(perm.permission.permission_name)
576 self.permissions_global.add(perm.permission.permission_name)
578
577
579 def _calculate_default_permissions_repositories(self, user_inherit_object_permissions):
578 def _calculate_default_permissions_repositories(self, user_inherit_object_permissions):
580 for perm in self.default_repo_perms:
579 for perm in self.default_repo_perms:
581 r_k = perm.UserRepoToPerm.repository.repo_name
580 r_k = perm.UserRepoToPerm.repository.repo_name
582 archived = perm.UserRepoToPerm.repository.archived
581 archived = perm.UserRepoToPerm.repository.archived
583 p = perm.Permission.permission_name
582 p = perm.Permission.permission_name
584 o = PermOrigin.REPO_DEFAULT
583 o = PermOrigin.REPO_DEFAULT
585 self.permissions_repositories[r_k] = p, o
584 self.permissions_repositories[r_k] = p, o
586
585
587 # if we decide this user isn't inheriting permissions from
586 # if we decide this user isn't inheriting permissions from
588 # default user we set him to .none so only explicit
587 # default user we set him to .none so only explicit
589 # permissions work
588 # permissions work
590 if not user_inherit_object_permissions:
589 if not user_inherit_object_permissions:
591 p = 'repository.none'
590 p = 'repository.none'
592 o = PermOrigin.REPO_DEFAULT_NO_INHERIT
591 o = PermOrigin.REPO_DEFAULT_NO_INHERIT
593 self.permissions_repositories[r_k] = p, o
592 self.permissions_repositories[r_k] = p, o
594
593
595 if perm.Repository.private and not (
594 if perm.Repository.private and not (
596 perm.Repository.user_id == self.user_id):
595 perm.Repository.user_id == self.user_id):
597 # disable defaults for private repos,
596 # disable defaults for private repos,
598 p = 'repository.none'
597 p = 'repository.none'
599 o = PermOrigin.REPO_PRIVATE
598 o = PermOrigin.REPO_PRIVATE
600 self.permissions_repositories[r_k] = p, o
599 self.permissions_repositories[r_k] = p, o
601
600
602 elif perm.Repository.user_id == self.user_id:
601 elif perm.Repository.user_id == self.user_id:
603 # set admin if owner
602 # set admin if owner
604 p = 'repository.admin'
603 p = 'repository.admin'
605 o = PermOrigin.REPO_OWNER
604 o = PermOrigin.REPO_OWNER
606 self.permissions_repositories[r_k] = p, o
605 self.permissions_repositories[r_k] = p, o
607
606
608 if self.user_is_admin:
607 if self.user_is_admin:
609 p = 'repository.admin'
608 p = 'repository.admin'
610 o = PermOrigin.SUPER_ADMIN
609 o = PermOrigin.SUPER_ADMIN
611 self.permissions_repositories[r_k] = p, o
610 self.permissions_repositories[r_k] = p, o
612
611
613 # finally in case of archived repositories, we downgrade higher
612 # finally in case of archived repositories, we downgrade higher
614 # permissions to read
613 # permissions to read
615 if archived:
614 if archived:
616 current_perm = self.permissions_repositories[r_k]
615 current_perm = self.permissions_repositories[r_k]
617 if current_perm in ['repository.write', 'repository.admin']:
616 if current_perm in ['repository.write', 'repository.admin']:
618 p = 'repository.read'
617 p = 'repository.read'
619 o = PermOrigin.ARCHIVED
618 o = PermOrigin.ARCHIVED
620 self.permissions_repositories[r_k] = p, o
619 self.permissions_repositories[r_k] = p, o
621
620
622 def _calculate_default_permissions_repository_branches(self, user_inherit_object_permissions):
621 def _calculate_default_permissions_repository_branches(self, user_inherit_object_permissions):
623 for perm in self.default_branch_repo_perms:
622 for perm in self.default_branch_repo_perms:
624
623
625 r_k = perm.UserRepoToPerm.repository.repo_name
624 r_k = perm.UserRepoToPerm.repository.repo_name
626 p = perm.Permission.permission_name
625 p = perm.Permission.permission_name
627 pattern = perm.UserToRepoBranchPermission.branch_pattern
626 pattern = perm.UserToRepoBranchPermission.branch_pattern
628 o = PermOrigin.REPO_USER % perm.UserRepoToPerm.user.username
627 o = PermOrigin.REPO_USER % perm.UserRepoToPerm.user.username
629
628
630 if not self.explicit:
629 if not self.explicit:
631 # TODO(marcink): fix this for multiple entries
630 cur_perm = self.permissions_repository_branches.get(r_k)
632 cur_perm = self.permissions_repository_branches.get(r_k) or 'branch.none'
631 if cur_perm:
632 cur_perm = cur_perm[pattern]
633 cur_perm = cur_perm or 'branch.none'
634
633 p = self._choose_permission(p, cur_perm)
635 p = self._choose_permission(p, cur_perm)
634
636
635 # NOTE(marcink): register all pattern/perm instances in this
637 # NOTE(marcink): register all pattern/perm instances in this
636 # special dict that aggregates entries
638 # special dict that aggregates entries
637 self.permissions_repository_branches[r_k] = pattern, p, o
639 self.permissions_repository_branches[r_k] = pattern, p, o
638
640
639 def _calculate_default_permissions_repository_groups(self, user_inherit_object_permissions):
641 def _calculate_default_permissions_repository_groups(self, user_inherit_object_permissions):
640 for perm in self.default_repo_groups_perms:
642 for perm in self.default_repo_groups_perms:
641 rg_k = perm.UserRepoGroupToPerm.group.group_name
643 rg_k = perm.UserRepoGroupToPerm.group.group_name
642 p = perm.Permission.permission_name
644 p = perm.Permission.permission_name
643 o = PermOrigin.REPOGROUP_DEFAULT
645 o = PermOrigin.REPOGROUP_DEFAULT
644 self.permissions_repository_groups[rg_k] = p, o
646 self.permissions_repository_groups[rg_k] = p, o
645
647
646 # if we decide this user isn't inheriting permissions from default
648 # if we decide this user isn't inheriting permissions from default
647 # user we set him to .none so only explicit permissions work
649 # user we set him to .none so only explicit permissions work
648 if not user_inherit_object_permissions:
650 if not user_inherit_object_permissions:
649 p = 'group.none'
651 p = 'group.none'
650 o = PermOrigin.REPOGROUP_DEFAULT_NO_INHERIT
652 o = PermOrigin.REPOGROUP_DEFAULT_NO_INHERIT
651 self.permissions_repository_groups[rg_k] = p, o
653 self.permissions_repository_groups[rg_k] = p, o
652
654
653 if perm.RepoGroup.user_id == self.user_id:
655 if perm.RepoGroup.user_id == self.user_id:
654 # set admin if owner
656 # set admin if owner
655 p = 'group.admin'
657 p = 'group.admin'
656 o = PermOrigin.REPOGROUP_OWNER
658 o = PermOrigin.REPOGROUP_OWNER
657 self.permissions_repository_groups[rg_k] = p, o
659 self.permissions_repository_groups[rg_k] = p, o
658
660
659 if self.user_is_admin:
661 if self.user_is_admin:
660 p = 'group.admin'
662 p = 'group.admin'
661 o = PermOrigin.SUPER_ADMIN
663 o = PermOrigin.SUPER_ADMIN
662 self.permissions_repository_groups[rg_k] = p, o
664 self.permissions_repository_groups[rg_k] = p, o
663
665
664 def _calculate_default_permissions_user_groups(self, user_inherit_object_permissions):
666 def _calculate_default_permissions_user_groups(self, user_inherit_object_permissions):
665 for perm in self.default_user_group_perms:
667 for perm in self.default_user_group_perms:
666 u_k = perm.UserUserGroupToPerm.user_group.users_group_name
668 u_k = perm.UserUserGroupToPerm.user_group.users_group_name
667 p = perm.Permission.permission_name
669 p = perm.Permission.permission_name
668 o = PermOrigin.USERGROUP_DEFAULT
670 o = PermOrigin.USERGROUP_DEFAULT
669 self.permissions_user_groups[u_k] = p, o
671 self.permissions_user_groups[u_k] = p, o
670
672
671 # if we decide this user isn't inheriting permissions from default
673 # if we decide this user isn't inheriting permissions from default
672 # user we set him to .none so only explicit permissions work
674 # user we set him to .none so only explicit permissions work
673 if not user_inherit_object_permissions:
675 if not user_inherit_object_permissions:
674 p = 'usergroup.none'
676 p = 'usergroup.none'
675 o = PermOrigin.USERGROUP_DEFAULT_NO_INHERIT
677 o = PermOrigin.USERGROUP_DEFAULT_NO_INHERIT
676 self.permissions_user_groups[u_k] = p, o
678 self.permissions_user_groups[u_k] = p, o
677
679
678 if perm.UserGroup.user_id == self.user_id:
680 if perm.UserGroup.user_id == self.user_id:
679 # set admin if owner
681 # set admin if owner
680 p = 'usergroup.admin'
682 p = 'usergroup.admin'
681 o = PermOrigin.USERGROUP_OWNER
683 o = PermOrigin.USERGROUP_OWNER
682 self.permissions_user_groups[u_k] = p, o
684 self.permissions_user_groups[u_k] = p, o
683
685
684 if self.user_is_admin:
686 if self.user_is_admin:
685 p = 'usergroup.admin'
687 p = 'usergroup.admin'
686 o = PermOrigin.SUPER_ADMIN
688 o = PermOrigin.SUPER_ADMIN
687 self.permissions_user_groups[u_k] = p, o
689 self.permissions_user_groups[u_k] = p, o
688
690
689 def _calculate_default_permissions(self):
691 def _calculate_default_permissions(self):
690 """
692 """
691 Set default user permissions for repositories, repository branches,
693 Set default user permissions for repositories, repository branches,
692 repository groups, user groups taken from the default user.
694 repository groups, user groups taken from the default user.
693
695
694 Calculate inheritance of object permissions based on what we have now
696 Calculate inheritance of object permissions based on what we have now
695 in GLOBAL permissions. We check if .false is in GLOBAL since this is
697 in GLOBAL permissions. We check if .false is in GLOBAL since this is
696 explicitly set. Inherit is the opposite of .false being there.
698 explicitly set. Inherit is the opposite of .false being there.
697
699
698 .. note::
700 .. note::
699
701
700 the syntax is little bit odd but what we need to check here is
702 the syntax is little bit odd but what we need to check here is
701 the opposite of .false permission being in the list so even for
703 the opposite of .false permission being in the list so even for
702 inconsistent state when both .true/.false is there
704 inconsistent state when both .true/.false is there
703 .false is more important
705 .false is more important
704
706
705 """
707 """
706 user_inherit_object_permissions = not ('hg.inherit_default_perms.false'
708 user_inherit_object_permissions = not ('hg.inherit_default_perms.false'
707 in self.permissions_global)
709 in self.permissions_global)
708
710
709 # default permissions inherited from `default` user permissions
711 # default permissions inherited from `default` user permissions
710 self._calculate_default_permissions_repositories(
712 self._calculate_default_permissions_repositories(
711 user_inherit_object_permissions)
713 user_inherit_object_permissions)
712
714
713 self._calculate_default_permissions_repository_branches(
715 self._calculate_default_permissions_repository_branches(
714 user_inherit_object_permissions)
716 user_inherit_object_permissions)
715
717
716 self._calculate_default_permissions_repository_groups(
718 self._calculate_default_permissions_repository_groups(
717 user_inherit_object_permissions)
719 user_inherit_object_permissions)
718
720
719 self._calculate_default_permissions_user_groups(
721 self._calculate_default_permissions_user_groups(
720 user_inherit_object_permissions)
722 user_inherit_object_permissions)
721
723
722 def _calculate_repository_permissions(self):
724 def _calculate_repository_permissions(self):
723 """
725 """
724 Repository permissions for the current user.
726 Repository permissions for the current user.
725
727
726 Check if the user is part of user groups for this repository and
728 Check if the user is part of user groups for this repository and
727 fill in the permission from it. `_choose_permission` decides of which
729 fill in the permission from it. `_choose_permission` decides of which
728 permission should be selected based on selected method.
730 permission should be selected based on selected method.
729 """
731 """
730
732
731 # user group for repositories permissions
733 # user group for repositories permissions
732 user_repo_perms_from_user_group = Permission\
734 user_repo_perms_from_user_group = Permission\
733 .get_default_repo_perms_from_user_group(
735 .get_default_repo_perms_from_user_group(
734 self.user_id, self.scope_repo_id)
736 self.user_id, self.scope_repo_id)
735
737
736 multiple_counter = collections.defaultdict(int)
738 multiple_counter = collections.defaultdict(int)
737 for perm in user_repo_perms_from_user_group:
739 for perm in user_repo_perms_from_user_group:
738 r_k = perm.UserGroupRepoToPerm.repository.repo_name
740 r_k = perm.UserGroupRepoToPerm.repository.repo_name
739 multiple_counter[r_k] += 1
741 multiple_counter[r_k] += 1
740 p = perm.Permission.permission_name
742 p = perm.Permission.permission_name
741 o = PermOrigin.REPO_USERGROUP % perm.UserGroupRepoToPerm\
743 o = PermOrigin.REPO_USERGROUP % perm.UserGroupRepoToPerm\
742 .users_group.users_group_name
744 .users_group.users_group_name
743
745
744 if multiple_counter[r_k] > 1:
746 if multiple_counter[r_k] > 1:
745 cur_perm = self.permissions_repositories[r_k]
747 cur_perm = self.permissions_repositories[r_k]
746 p = self._choose_permission(p, cur_perm)
748 p = self._choose_permission(p, cur_perm)
747
749
748 self.permissions_repositories[r_k] = p, o
750 self.permissions_repositories[r_k] = p, o
749
751
750 if perm.Repository.user_id == self.user_id:
752 if perm.Repository.user_id == self.user_id:
751 # set admin if owner
753 # set admin if owner
752 p = 'repository.admin'
754 p = 'repository.admin'
753 o = PermOrigin.REPO_OWNER
755 o = PermOrigin.REPO_OWNER
754 self.permissions_repositories[r_k] = p, o
756 self.permissions_repositories[r_k] = p, o
755
757
756 if self.user_is_admin:
758 if self.user_is_admin:
757 p = 'repository.admin'
759 p = 'repository.admin'
758 o = PermOrigin.SUPER_ADMIN
760 o = PermOrigin.SUPER_ADMIN
759 self.permissions_repositories[r_k] = p, o
761 self.permissions_repositories[r_k] = p, o
760
762
761 # user explicit permissions for repositories, overrides any specified
763 # user explicit permissions for repositories, overrides any specified
762 # by the group permission
764 # by the group permission
763 user_repo_perms = Permission.get_default_repo_perms(
765 user_repo_perms = Permission.get_default_repo_perms(
764 self.user_id, self.scope_repo_id)
766 self.user_id, self.scope_repo_id)
765 for perm in user_repo_perms:
767 for perm in user_repo_perms:
766 r_k = perm.UserRepoToPerm.repository.repo_name
768 r_k = perm.UserRepoToPerm.repository.repo_name
767 p = perm.Permission.permission_name
769 p = perm.Permission.permission_name
768 o = PermOrigin.REPO_USER % perm.UserRepoToPerm.user.username
770 o = PermOrigin.REPO_USER % perm.UserRepoToPerm.user.username
769
771
770 if not self.explicit:
772 if not self.explicit:
771 cur_perm = self.permissions_repositories.get(
773 cur_perm = self.permissions_repositories.get(
772 r_k, 'repository.none')
774 r_k, 'repository.none')
773 p = self._choose_permission(p, cur_perm)
775 p = self._choose_permission(p, cur_perm)
774
776
775 self.permissions_repositories[r_k] = p, o
777 self.permissions_repositories[r_k] = p, o
776
778
777 if perm.Repository.user_id == self.user_id:
779 if perm.Repository.user_id == self.user_id:
778 # set admin if owner
780 # set admin if owner
779 p = 'repository.admin'
781 p = 'repository.admin'
780 o = PermOrigin.REPO_OWNER
782 o = PermOrigin.REPO_OWNER
781 self.permissions_repositories[r_k] = p, o
783 self.permissions_repositories[r_k] = p, o
782
784
783 if self.user_is_admin:
785 if self.user_is_admin:
784 p = 'repository.admin'
786 p = 'repository.admin'
785 o = PermOrigin.SUPER_ADMIN
787 o = PermOrigin.SUPER_ADMIN
786 self.permissions_repositories[r_k] = p, o
788 self.permissions_repositories[r_k] = p, o
787
789
788 def _calculate_repository_branch_permissions(self):
790 def _calculate_repository_branch_permissions(self):
789 # user group for repositories permissions
791 # user group for repositories permissions
790 user_repo_branch_perms_from_user_group = Permission\
792 user_repo_branch_perms_from_user_group = Permission\
791 .get_default_repo_branch_perms_from_user_group(
793 .get_default_repo_branch_perms_from_user_group(
792 self.user_id, self.scope_repo_id)
794 self.user_id, self.scope_repo_id)
793
795
794 multiple_counter = collections.defaultdict(int)
796 multiple_counter = collections.defaultdict(int)
795 for perm in user_repo_branch_perms_from_user_group:
797 for perm in user_repo_branch_perms_from_user_group:
796 r_k = perm.UserGroupRepoToPerm.repository.repo_name
798 r_k = perm.UserGroupRepoToPerm.repository.repo_name
797 p = perm.Permission.permission_name
799 p = perm.Permission.permission_name
798 pattern = perm.UserGroupToRepoBranchPermission.branch_pattern
800 pattern = perm.UserGroupToRepoBranchPermission.branch_pattern
799 o = PermOrigin.REPO_USERGROUP % perm.UserGroupRepoToPerm\
801 o = PermOrigin.REPO_USERGROUP % perm.UserGroupRepoToPerm\
800 .users_group.users_group_name
802 .users_group.users_group_name
801
803
802 multiple_counter[r_k] += 1
804 multiple_counter[r_k] += 1
803 if multiple_counter[r_k] > 1:
805 if multiple_counter[r_k] > 1:
804 # TODO(marcink): fix this for multi branch support, and multiple entries
806 cur_perm = self.permissions_repository_branches[r_k][pattern]
805 cur_perm = self.permissions_repository_branches[r_k]
806 p = self._choose_permission(p, cur_perm)
807 p = self._choose_permission(p, cur_perm)
807
808
808 self.permissions_repository_branches[r_k] = pattern, p, o
809 self.permissions_repository_branches[r_k] = pattern, p, o
809
810
810 # user explicit branch permissions for repositories, overrides
811 # user explicit branch permissions for repositories, overrides
811 # any specified by the group permission
812 # any specified by the group permission
812 user_repo_branch_perms = Permission.get_default_repo_branch_perms(
813 user_repo_branch_perms = Permission.get_default_repo_branch_perms(
813 self.user_id, self.scope_repo_id)
814 self.user_id, self.scope_repo_id)
814
815
815 for perm in user_repo_branch_perms:
816 for perm in user_repo_branch_perms:
816
817
817 r_k = perm.UserRepoToPerm.repository.repo_name
818 r_k = perm.UserRepoToPerm.repository.repo_name
818 p = perm.Permission.permission_name
819 p = perm.Permission.permission_name
819 pattern = perm.UserToRepoBranchPermission.branch_pattern
820 pattern = perm.UserToRepoBranchPermission.branch_pattern
820 o = PermOrigin.REPO_USER % perm.UserRepoToPerm.user.username
821 o = PermOrigin.REPO_USER % perm.UserRepoToPerm.user.username
821
822
822 if not self.explicit:
823 if not self.explicit:
823 # TODO(marcink): fix this for multiple entries
824 cur_perm = self.permissions_repository_branches.get(r_k)
824 cur_perm = self.permissions_repository_branches.get(r_k) or 'branch.none'
825 if cur_perm:
826 cur_perm = cur_perm[pattern]
827 cur_perm = cur_perm or 'branch.none'
825 p = self._choose_permission(p, cur_perm)
828 p = self._choose_permission(p, cur_perm)
826
829
827 # NOTE(marcink): register all pattern/perm instances in this
830 # NOTE(marcink): register all pattern/perm instances in this
828 # special dict that aggregates entries
831 # special dict that aggregates entries
829 self.permissions_repository_branches[r_k] = pattern, p, o
832 self.permissions_repository_branches[r_k] = pattern, p, o
830
833
831 def _calculate_repository_group_permissions(self):
834 def _calculate_repository_group_permissions(self):
832 """
835 """
833 Repository group permissions for the current user.
836 Repository group permissions for the current user.
834
837
835 Check if the user is part of user groups for repository groups and
838 Check if the user is part of user groups for repository groups and
836 fill in the permissions from it. `_choose_permission` decides of which
839 fill in the permissions from it. `_choose_permission` decides of which
837 permission should be selected based on selected method.
840 permission should be selected based on selected method.
838 """
841 """
839 # user group for repo groups permissions
842 # user group for repo groups permissions
840 user_repo_group_perms_from_user_group = Permission\
843 user_repo_group_perms_from_user_group = Permission\
841 .get_default_group_perms_from_user_group(
844 .get_default_group_perms_from_user_group(
842 self.user_id, self.scope_repo_group_id)
845 self.user_id, self.scope_repo_group_id)
843
846
844 multiple_counter = collections.defaultdict(int)
847 multiple_counter = collections.defaultdict(int)
845 for perm in user_repo_group_perms_from_user_group:
848 for perm in user_repo_group_perms_from_user_group:
846 rg_k = perm.UserGroupRepoGroupToPerm.group.group_name
849 rg_k = perm.UserGroupRepoGroupToPerm.group.group_name
847 multiple_counter[rg_k] += 1
850 multiple_counter[rg_k] += 1
848 o = PermOrigin.REPOGROUP_USERGROUP % perm.UserGroupRepoGroupToPerm\
851 o = PermOrigin.REPOGROUP_USERGROUP % perm.UserGroupRepoGroupToPerm\
849 .users_group.users_group_name
852 .users_group.users_group_name
850 p = perm.Permission.permission_name
853 p = perm.Permission.permission_name
851
854
852 if multiple_counter[rg_k] > 1:
855 if multiple_counter[rg_k] > 1:
853 cur_perm = self.permissions_repository_groups[rg_k]
856 cur_perm = self.permissions_repository_groups[rg_k]
854 p = self._choose_permission(p, cur_perm)
857 p = self._choose_permission(p, cur_perm)
855 self.permissions_repository_groups[rg_k] = p, o
858 self.permissions_repository_groups[rg_k] = p, o
856
859
857 if perm.RepoGroup.user_id == self.user_id:
860 if perm.RepoGroup.user_id == self.user_id:
858 # set admin if owner, even for member of other user group
861 # set admin if owner, even for member of other user group
859 p = 'group.admin'
862 p = 'group.admin'
860 o = PermOrigin.REPOGROUP_OWNER
863 o = PermOrigin.REPOGROUP_OWNER
861 self.permissions_repository_groups[rg_k] = p, o
864 self.permissions_repository_groups[rg_k] = p, o
862
865
863 if self.user_is_admin:
866 if self.user_is_admin:
864 p = 'group.admin'
867 p = 'group.admin'
865 o = PermOrigin.SUPER_ADMIN
868 o = PermOrigin.SUPER_ADMIN
866 self.permissions_repository_groups[rg_k] = p, o
869 self.permissions_repository_groups[rg_k] = p, o
867
870
868 # user explicit permissions for repository groups
871 # user explicit permissions for repository groups
869 user_repo_groups_perms = Permission.get_default_group_perms(
872 user_repo_groups_perms = Permission.get_default_group_perms(
870 self.user_id, self.scope_repo_group_id)
873 self.user_id, self.scope_repo_group_id)
871 for perm in user_repo_groups_perms:
874 for perm in user_repo_groups_perms:
872 rg_k = perm.UserRepoGroupToPerm.group.group_name
875 rg_k = perm.UserRepoGroupToPerm.group.group_name
873 o = PermOrigin.REPOGROUP_USER % perm.UserRepoGroupToPerm\
876 o = PermOrigin.REPOGROUP_USER % perm.UserRepoGroupToPerm\
874 .user.username
877 .user.username
875 p = perm.Permission.permission_name
878 p = perm.Permission.permission_name
876
879
877 if not self.explicit:
880 if not self.explicit:
878 cur_perm = self.permissions_repository_groups.get(
881 cur_perm = self.permissions_repository_groups.get(rg_k, 'group.none')
879 rg_k, 'group.none')
880 p = self._choose_permission(p, cur_perm)
882 p = self._choose_permission(p, cur_perm)
881
883
882 self.permissions_repository_groups[rg_k] = p, o
884 self.permissions_repository_groups[rg_k] = p, o
883
885
884 if perm.RepoGroup.user_id == self.user_id:
886 if perm.RepoGroup.user_id == self.user_id:
885 # set admin if owner
887 # set admin if owner
886 p = 'group.admin'
888 p = 'group.admin'
887 o = PermOrigin.REPOGROUP_OWNER
889 o = PermOrigin.REPOGROUP_OWNER
888 self.permissions_repository_groups[rg_k] = p, o
890 self.permissions_repository_groups[rg_k] = p, o
889
891
890 if self.user_is_admin:
892 if self.user_is_admin:
891 p = 'group.admin'
893 p = 'group.admin'
892 o = PermOrigin.SUPER_ADMIN
894 o = PermOrigin.SUPER_ADMIN
893 self.permissions_repository_groups[rg_k] = p, o
895 self.permissions_repository_groups[rg_k] = p, o
894
896
895 def _calculate_user_group_permissions(self):
897 def _calculate_user_group_permissions(self):
896 """
898 """
897 User group permissions for the current user.
899 User group permissions for the current user.
898 """
900 """
899 # user group for user group permissions
901 # user group for user group permissions
900 user_group_from_user_group = Permission\
902 user_group_from_user_group = Permission\
901 .get_default_user_group_perms_from_user_group(
903 .get_default_user_group_perms_from_user_group(
902 self.user_id, self.scope_user_group_id)
904 self.user_id, self.scope_user_group_id)
903
905
904 multiple_counter = collections.defaultdict(int)
906 multiple_counter = collections.defaultdict(int)
905 for perm in user_group_from_user_group:
907 for perm in user_group_from_user_group:
906 ug_k = perm.UserGroupUserGroupToPerm\
908 ug_k = perm.UserGroupUserGroupToPerm\
907 .target_user_group.users_group_name
909 .target_user_group.users_group_name
908 multiple_counter[ug_k] += 1
910 multiple_counter[ug_k] += 1
909 o = PermOrigin.USERGROUP_USERGROUP % perm.UserGroupUserGroupToPerm\
911 o = PermOrigin.USERGROUP_USERGROUP % perm.UserGroupUserGroupToPerm\
910 .user_group.users_group_name
912 .user_group.users_group_name
911 p = perm.Permission.permission_name
913 p = perm.Permission.permission_name
912
914
913 if multiple_counter[ug_k] > 1:
915 if multiple_counter[ug_k] > 1:
914 cur_perm = self.permissions_user_groups[ug_k]
916 cur_perm = self.permissions_user_groups[ug_k]
915 p = self._choose_permission(p, cur_perm)
917 p = self._choose_permission(p, cur_perm)
916
918
917 self.permissions_user_groups[ug_k] = p, o
919 self.permissions_user_groups[ug_k] = p, o
918
920
919 if perm.UserGroup.user_id == self.user_id:
921 if perm.UserGroup.user_id == self.user_id:
920 # set admin if owner, even for member of other user group
922 # set admin if owner, even for member of other user group
921 p = 'usergroup.admin'
923 p = 'usergroup.admin'
922 o = PermOrigin.USERGROUP_OWNER
924 o = PermOrigin.USERGROUP_OWNER
923 self.permissions_user_groups[ug_k] = p, o
925 self.permissions_user_groups[ug_k] = p, o
924
926
925 if self.user_is_admin:
927 if self.user_is_admin:
926 p = 'usergroup.admin'
928 p = 'usergroup.admin'
927 o = PermOrigin.SUPER_ADMIN
929 o = PermOrigin.SUPER_ADMIN
928 self.permissions_user_groups[ug_k] = p, o
930 self.permissions_user_groups[ug_k] = p, o
929
931
930 # user explicit permission for user groups
932 # user explicit permission for user groups
931 user_user_groups_perms = Permission.get_default_user_group_perms(
933 user_user_groups_perms = Permission.get_default_user_group_perms(
932 self.user_id, self.scope_user_group_id)
934 self.user_id, self.scope_user_group_id)
933 for perm in user_user_groups_perms:
935 for perm in user_user_groups_perms:
934 ug_k = perm.UserUserGroupToPerm.user_group.users_group_name
936 ug_k = perm.UserUserGroupToPerm.user_group.users_group_name
935 o = PermOrigin.USERGROUP_USER % perm.UserUserGroupToPerm\
937 o = PermOrigin.USERGROUP_USER % perm.UserUserGroupToPerm\
936 .user.username
938 .user.username
937 p = perm.Permission.permission_name
939 p = perm.Permission.permission_name
938
940
939 if not self.explicit:
941 if not self.explicit:
940 cur_perm = self.permissions_user_groups.get(
942 cur_perm = self.permissions_user_groups.get(ug_k, 'usergroup.none')
941 ug_k, 'usergroup.none')
942 p = self._choose_permission(p, cur_perm)
943 p = self._choose_permission(p, cur_perm)
943
944
944 self.permissions_user_groups[ug_k] = p, o
945 self.permissions_user_groups[ug_k] = p, o
945
946
946 if perm.UserGroup.user_id == self.user_id:
947 if perm.UserGroup.user_id == self.user_id:
947 # set admin if owner
948 # set admin if owner
948 p = 'usergroup.admin'
949 p = 'usergroup.admin'
949 o = PermOrigin.USERGROUP_OWNER
950 o = PermOrigin.USERGROUP_OWNER
950 self.permissions_user_groups[ug_k] = p, o
951 self.permissions_user_groups[ug_k] = p, o
951
952
952 if self.user_is_admin:
953 if self.user_is_admin:
953 p = 'usergroup.admin'
954 p = 'usergroup.admin'
954 o = PermOrigin.SUPER_ADMIN
955 o = PermOrigin.SUPER_ADMIN
955 self.permissions_user_groups[ug_k] = p, o
956 self.permissions_user_groups[ug_k] = p, o
956
957
957 def _choose_permission(self, new_perm, cur_perm):
958 def _choose_permission(self, new_perm, cur_perm):
958 new_perm_val = Permission.PERM_WEIGHTS[new_perm]
959 new_perm_val = Permission.PERM_WEIGHTS[new_perm]
959 cur_perm_val = Permission.PERM_WEIGHTS[cur_perm]
960 cur_perm_val = Permission.PERM_WEIGHTS[cur_perm]
960 if self.algo == 'higherwin':
961 if self.algo == 'higherwin':
961 if new_perm_val > cur_perm_val:
962 if new_perm_val > cur_perm_val:
962 return new_perm
963 return new_perm
963 return cur_perm
964 return cur_perm
964 elif self.algo == 'lowerwin':
965 elif self.algo == 'lowerwin':
965 if new_perm_val < cur_perm_val:
966 if new_perm_val < cur_perm_val:
966 return new_perm
967 return new_perm
967 return cur_perm
968 return cur_perm
968
969
969 def _permission_structure(self):
970 def _permission_structure(self):
970 return {
971 return {
971 'global': self.permissions_global,
972 'global': self.permissions_global,
972 'repositories': self.permissions_repositories,
973 'repositories': self.permissions_repositories,
973 'repository_branches': self.permissions_repository_branches,
974 'repository_branches': self.permissions_repository_branches,
974 'repositories_groups': self.permissions_repository_groups,
975 'repositories_groups': self.permissions_repository_groups,
975 'user_groups': self.permissions_user_groups,
976 'user_groups': self.permissions_user_groups,
976 }
977 }
977
978
978
979
979 def allowed_auth_token_access(view_name, auth_token, whitelist=None):
980 def allowed_auth_token_access(view_name, auth_token, whitelist=None):
980 """
981 """
981 Check if given controller_name is in whitelist of auth token access
982 Check if given controller_name is in whitelist of auth token access
982 """
983 """
983 if not whitelist:
984 if not whitelist:
984 from rhodecode import CONFIG
985 from rhodecode import CONFIG
985 whitelist = aslist(
986 whitelist = aslist(
986 CONFIG.get('api_access_controllers_whitelist'), sep=',')
987 CONFIG.get('api_access_controllers_whitelist'), sep=',')
987 # backward compat translation
988 # backward compat translation
988 compat = {
989 compat = {
989 # old controller, new VIEW
990 # old controller, new VIEW
990 'ChangesetController:*': 'RepoCommitsView:*',
991 'ChangesetController:*': 'RepoCommitsView:*',
991 'ChangesetController:changeset_patch': 'RepoCommitsView:repo_commit_patch',
992 'ChangesetController:changeset_patch': 'RepoCommitsView:repo_commit_patch',
992 'ChangesetController:changeset_raw': 'RepoCommitsView:repo_commit_raw',
993 'ChangesetController:changeset_raw': 'RepoCommitsView:repo_commit_raw',
993 'FilesController:raw': 'RepoCommitsView:repo_commit_raw',
994 'FilesController:raw': 'RepoCommitsView:repo_commit_raw',
994 'FilesController:archivefile': 'RepoFilesView:repo_archivefile',
995 'FilesController:archivefile': 'RepoFilesView:repo_archivefile',
995 'GistsController:*': 'GistView:*',
996 'GistsController:*': 'GistView:*',
996 }
997 }
997
998
998 log.debug(
999 log.debug(
999 'Allowed views for AUTH TOKEN access: %s', whitelist)
1000 'Allowed views for AUTH TOKEN access: %s', whitelist)
1000 auth_token_access_valid = False
1001 auth_token_access_valid = False
1001
1002
1002 for entry in whitelist:
1003 for entry in whitelist:
1003 token_match = True
1004 token_match = True
1004 if entry in compat:
1005 if entry in compat:
1005 # translate from old Controllers to Pyramid Views
1006 # translate from old Controllers to Pyramid Views
1006 entry = compat[entry]
1007 entry = compat[entry]
1007
1008
1008 if '@' in entry:
1009 if '@' in entry:
1009 # specific AuthToken
1010 # specific AuthToken
1010 entry, allowed_token = entry.split('@', 1)
1011 entry, allowed_token = entry.split('@', 1)
1011 token_match = auth_token == allowed_token
1012 token_match = auth_token == allowed_token
1012
1013
1013 if fnmatch.fnmatch(view_name, entry) and token_match:
1014 if fnmatch.fnmatch(view_name, entry) and token_match:
1014 auth_token_access_valid = True
1015 auth_token_access_valid = True
1015 break
1016 break
1016
1017
1017 if auth_token_access_valid:
1018 if auth_token_access_valid:
1018 log.debug('view: `%s` matches entry in whitelist: %s',
1019 log.debug('view: `%s` matches entry in whitelist: %s',
1019 view_name, whitelist)
1020 view_name, whitelist)
1020
1021
1021 else:
1022 else:
1022 msg = ('view: `%s` does *NOT* match any entry in whitelist: %s'
1023 msg = ('view: `%s` does *NOT* match any entry in whitelist: %s'
1023 % (view_name, whitelist))
1024 % (view_name, whitelist))
1024 if auth_token:
1025 if auth_token:
1025 # if we use auth token key and don't have access it's a warning
1026 # if we use auth token key and don't have access it's a warning
1026 log.warning(msg)
1027 log.warning(msg)
1027 else:
1028 else:
1028 log.debug(msg)
1029 log.debug(msg)
1029
1030
1030 return auth_token_access_valid
1031 return auth_token_access_valid
1031
1032
1032
1033
1033 class AuthUser(object):
1034 class AuthUser(object):
1034 """
1035 """
1035 A simple object that handles all attributes of user in RhodeCode
1036 A simple object that handles all attributes of user in RhodeCode
1036
1037
1037 It does lookup based on API key,given user, or user present in session
1038 It does lookup based on API key,given user, or user present in session
1038 Then it fills all required information for such user. It also checks if
1039 Then it fills all required information for such user. It also checks if
1039 anonymous access is enabled and if so, it returns default user as logged in
1040 anonymous access is enabled and if so, it returns default user as logged in
1040 """
1041 """
1041 GLOBAL_PERMS = [x[0] for x in Permission.PERMS]
1042 GLOBAL_PERMS = [x[0] for x in Permission.PERMS]
1042
1043
1043 def __init__(self, user_id=None, api_key=None, username=None, ip_addr=None):
1044 def __init__(self, user_id=None, api_key=None, username=None, ip_addr=None):
1044
1045
1045 self.user_id = user_id
1046 self.user_id = user_id
1046 self._api_key = api_key
1047 self._api_key = api_key
1047
1048
1048 self.api_key = None
1049 self.api_key = None
1049 self.username = username
1050 self.username = username
1050 self.ip_addr = ip_addr
1051 self.ip_addr = ip_addr
1051 self.name = ''
1052 self.name = ''
1052 self.lastname = ''
1053 self.lastname = ''
1053 self.first_name = ''
1054 self.first_name = ''
1054 self.last_name = ''
1055 self.last_name = ''
1055 self.email = ''
1056 self.email = ''
1056 self.is_authenticated = False
1057 self.is_authenticated = False
1057 self.admin = False
1058 self.admin = False
1058 self.inherit_default_permissions = False
1059 self.inherit_default_permissions = False
1059 self.password = ''
1060 self.password = ''
1060
1061
1061 self.anonymous_user = None # propagated on propagate_data
1062 self.anonymous_user = None # propagated on propagate_data
1062 self.propagate_data()
1063 self.propagate_data()
1063 self._instance = None
1064 self._instance = None
1064 self._permissions_scoped_cache = {} # used to bind scoped calculation
1065 self._permissions_scoped_cache = {} # used to bind scoped calculation
1065
1066
1066 @LazyProperty
1067 @LazyProperty
1067 def permissions(self):
1068 def permissions(self):
1068 return self.get_perms(user=self, cache=None)
1069 return self.get_perms(user=self, cache=None)
1069
1070
1070 @LazyProperty
1071 @LazyProperty
1071 def permissions_safe(self):
1072 def permissions_safe(self):
1072 """
1073 """
1073 Filtered permissions excluding not allowed repositories
1074 Filtered permissions excluding not allowed repositories
1074 """
1075 """
1075 perms = self.get_perms(user=self, cache=None)
1076 perms = self.get_perms(user=self, cache=None)
1076
1077
1077 perms['repositories'] = {
1078 perms['repositories'] = {
1078 k: v for k, v in perms['repositories'].items()
1079 k: v for k, v in perms['repositories'].items()
1079 if v != 'repository.none'}
1080 if v != 'repository.none'}
1080 perms['repositories_groups'] = {
1081 perms['repositories_groups'] = {
1081 k: v for k, v in perms['repositories_groups'].items()
1082 k: v for k, v in perms['repositories_groups'].items()
1082 if v != 'group.none'}
1083 if v != 'group.none'}
1083 perms['user_groups'] = {
1084 perms['user_groups'] = {
1084 k: v for k, v in perms['user_groups'].items()
1085 k: v for k, v in perms['user_groups'].items()
1085 if v != 'usergroup.none'}
1086 if v != 'usergroup.none'}
1086 perms['repository_branches'] = {
1087 perms['repository_branches'] = {
1087 k: v for k, v in perms['repository_branches'].iteritems()
1088 k: v for k, v in perms['repository_branches'].iteritems()
1088 if v != 'branch.none'}
1089 if v != 'branch.none'}
1089 return perms
1090 return perms
1090
1091
1091 @LazyProperty
1092 @LazyProperty
1092 def permissions_full_details(self):
1093 def permissions_full_details(self):
1093 return self.get_perms(
1094 return self.get_perms(
1094 user=self, cache=None, calculate_super_admin=True)
1095 user=self, cache=None, calculate_super_admin=True)
1095
1096
1096 def permissions_with_scope(self, scope):
1097 def permissions_with_scope(self, scope):
1097 """
1098 """
1098 Call the get_perms function with scoped data. The scope in that function
1099 Call the get_perms function with scoped data. The scope in that function
1099 narrows the SQL calls to the given ID of objects resulting in fetching
1100 narrows the SQL calls to the given ID of objects resulting in fetching
1100 Just particular permission we want to obtain. If scope is an empty dict
1101 Just particular permission we want to obtain. If scope is an empty dict
1101 then it basically narrows the scope to GLOBAL permissions only.
1102 then it basically narrows the scope to GLOBAL permissions only.
1102
1103
1103 :param scope: dict
1104 :param scope: dict
1104 """
1105 """
1105 if 'repo_name' in scope:
1106 if 'repo_name' in scope:
1106 obj = Repository.get_by_repo_name(scope['repo_name'])
1107 obj = Repository.get_by_repo_name(scope['repo_name'])
1107 if obj:
1108 if obj:
1108 scope['repo_id'] = obj.repo_id
1109 scope['repo_id'] = obj.repo_id
1109 _scope = collections.OrderedDict()
1110 _scope = collections.OrderedDict()
1110 _scope['repo_id'] = -1
1111 _scope['repo_id'] = -1
1111 _scope['user_group_id'] = -1
1112 _scope['user_group_id'] = -1
1112 _scope['repo_group_id'] = -1
1113 _scope['repo_group_id'] = -1
1113
1114
1114 for k in sorted(scope.keys()):
1115 for k in sorted(scope.keys()):
1115 _scope[k] = scope[k]
1116 _scope[k] = scope[k]
1116
1117
1117 # store in cache to mimic how the @LazyProperty works,
1118 # store in cache to mimic how the @LazyProperty works,
1118 # the difference here is that we use the unique key calculated
1119 # the difference here is that we use the unique key calculated
1119 # from params and values
1120 # from params and values
1120 return self.get_perms(user=self, cache=None, scope=_scope)
1121 return self.get_perms(user=self, cache=None, scope=_scope)
1121
1122
1122 def get_instance(self):
1123 def get_instance(self):
1123 return User.get(self.user_id)
1124 return User.get(self.user_id)
1124
1125
1125 def propagate_data(self):
1126 def propagate_data(self):
1126 """
1127 """
1127 Fills in user data and propagates values to this instance. Maps fetched
1128 Fills in user data and propagates values to this instance. Maps fetched
1128 user attributes to this class instance attributes
1129 user attributes to this class instance attributes
1129 """
1130 """
1130 log.debug('AuthUser: starting data propagation for new potential user')
1131 log.debug('AuthUser: starting data propagation for new potential user')
1131 user_model = UserModel()
1132 user_model = UserModel()
1132 anon_user = self.anonymous_user = User.get_default_user(cache=True)
1133 anon_user = self.anonymous_user = User.get_default_user(cache=True)
1133 is_user_loaded = False
1134 is_user_loaded = False
1134
1135
1135 # lookup by userid
1136 # lookup by userid
1136 if self.user_id is not None and self.user_id != anon_user.user_id:
1137 if self.user_id is not None and self.user_id != anon_user.user_id:
1137 log.debug('Trying Auth User lookup by USER ID: `%s`', self.user_id)
1138 log.debug('Trying Auth User lookup by USER ID: `%s`', self.user_id)
1138 is_user_loaded = user_model.fill_data(self, user_id=self.user_id)
1139 is_user_loaded = user_model.fill_data(self, user_id=self.user_id)
1139
1140
1140 # try go get user by api key
1141 # try go get user by api key
1141 elif self._api_key and self._api_key != anon_user.api_key:
1142 elif self._api_key and self._api_key != anon_user.api_key:
1142 log.debug('Trying Auth User lookup by API KEY: `%s`', self._api_key)
1143 log.debug('Trying Auth User lookup by API KEY: `%s`', self._api_key)
1143 is_user_loaded = user_model.fill_data(self, api_key=self._api_key)
1144 is_user_loaded = user_model.fill_data(self, api_key=self._api_key)
1144
1145
1145 # lookup by username
1146 # lookup by username
1146 elif self.username:
1147 elif self.username:
1147 log.debug('Trying Auth User lookup by USER NAME: `%s`', self.username)
1148 log.debug('Trying Auth User lookup by USER NAME: `%s`', self.username)
1148 is_user_loaded = user_model.fill_data(self, username=self.username)
1149 is_user_loaded = user_model.fill_data(self, username=self.username)
1149 else:
1150 else:
1150 log.debug('No data in %s that could been used to log in', self)
1151 log.debug('No data in %s that could been used to log in', self)
1151
1152
1152 if not is_user_loaded:
1153 if not is_user_loaded:
1153 log.debug(
1154 log.debug(
1154 'Failed to load user. Fallback to default user %s', anon_user)
1155 'Failed to load user. Fallback to default user %s', anon_user)
1155 # if we cannot authenticate user try anonymous
1156 # if we cannot authenticate user try anonymous
1156 if anon_user.active:
1157 if anon_user.active:
1157 log.debug('default user is active, using it as a session user')
1158 log.debug('default user is active, using it as a session user')
1158 user_model.fill_data(self, user_id=anon_user.user_id)
1159 user_model.fill_data(self, user_id=anon_user.user_id)
1159 # then we set this user is logged in
1160 # then we set this user is logged in
1160 self.is_authenticated = True
1161 self.is_authenticated = True
1161 else:
1162 else:
1162 log.debug('default user is NOT active')
1163 log.debug('default user is NOT active')
1163 # in case of disabled anonymous user we reset some of the
1164 # in case of disabled anonymous user we reset some of the
1164 # parameters so such user is "corrupted", skipping the fill_data
1165 # parameters so such user is "corrupted", skipping the fill_data
1165 for attr in ['user_id', 'username', 'admin', 'active']:
1166 for attr in ['user_id', 'username', 'admin', 'active']:
1166 setattr(self, attr, None)
1167 setattr(self, attr, None)
1167 self.is_authenticated = False
1168 self.is_authenticated = False
1168
1169
1169 if not self.username:
1170 if not self.username:
1170 self.username = 'None'
1171 self.username = 'None'
1171
1172
1172 log.debug('AuthUser: propagated user is now %s', self)
1173 log.debug('AuthUser: propagated user is now %s', self)
1173
1174
1174 def get_perms(self, user, scope=None, explicit=True, algo='higherwin',
1175 def get_perms(self, user, scope=None, explicit=True, algo='higherwin',
1175 calculate_super_admin=False, cache=None):
1176 calculate_super_admin=False, cache=None):
1176 """
1177 """
1177 Fills user permission attribute with permissions taken from database
1178 Fills user permission attribute with permissions taken from database
1178 works for permissions given for repositories, and for permissions that
1179 works for permissions given for repositories, and for permissions that
1179 are granted to groups
1180 are granted to groups
1180
1181
1181 :param user: instance of User object from database
1182 :param user: instance of User object from database
1182 :param explicit: In case there are permissions both for user and a group
1183 :param explicit: In case there are permissions both for user and a group
1183 that user is part of, explicit flag will defiine if user will
1184 that user is part of, explicit flag will defiine if user will
1184 explicitly override permissions from group, if it's False it will
1185 explicitly override permissions from group, if it's False it will
1185 make decision based on the algo
1186 make decision based on the algo
1186 :param algo: algorithm to decide what permission should be choose if
1187 :param algo: algorithm to decide what permission should be choose if
1187 it's multiple defined, eg user in two different groups. It also
1188 it's multiple defined, eg user in two different groups. It also
1188 decides if explicit flag is turned off how to specify the permission
1189 decides if explicit flag is turned off how to specify the permission
1189 for case when user is in a group + have defined separate permission
1190 for case when user is in a group + have defined separate permission
1190 :param calculate_super_admin: calculate permissions for super-admin in the
1191 :param calculate_super_admin: calculate permissions for super-admin in the
1191 same way as for regular user without speedups
1192 same way as for regular user without speedups
1192 :param cache: Use caching for calculation, None = let the cache backend decide
1193 :param cache: Use caching for calculation, None = let the cache backend decide
1193 """
1194 """
1194 user_id = user.user_id
1195 user_id = user.user_id
1195 user_is_admin = user.is_admin
1196 user_is_admin = user.is_admin
1196
1197
1197 # inheritance of global permissions like create repo/fork repo etc
1198 # inheritance of global permissions like create repo/fork repo etc
1198 user_inherit_default_permissions = user.inherit_default_permissions
1199 user_inherit_default_permissions = user.inherit_default_permissions
1199
1200
1200 cache_seconds = safe_int(
1201 cache_seconds = safe_int(
1201 rhodecode.CONFIG.get('rc_cache.cache_perms.expiration_time'))
1202 rhodecode.CONFIG.get('rc_cache.cache_perms.expiration_time'))
1202
1203
1203 if cache is None:
1204 if cache is None:
1204 # let the backend cache decide
1205 # let the backend cache decide
1205 cache_on = cache_seconds > 0
1206 cache_on = cache_seconds > 0
1206 else:
1207 else:
1207 cache_on = cache
1208 cache_on = cache
1208
1209
1209 log.debug(
1210 log.debug(
1210 'Computing PERMISSION tree for user %s scope `%s` '
1211 'Computing PERMISSION tree for user %s scope `%s` '
1211 'with caching: %s[TTL: %ss]', user, scope, cache_on, cache_seconds or 0)
1212 'with caching: %s[TTL: %ss]', user, scope, cache_on, cache_seconds or 0)
1212
1213
1213 cache_namespace_uid = 'cache_user_auth.{}'.format(user_id)
1214 cache_namespace_uid = 'cache_user_auth.{}'.format(user_id)
1214 region = rc_cache.get_or_create_region('cache_perms', cache_namespace_uid)
1215 region = rc_cache.get_or_create_region('cache_perms', cache_namespace_uid)
1215
1216
1216 @region.conditional_cache_on_arguments(namespace=cache_namespace_uid,
1217 @region.conditional_cache_on_arguments(namespace=cache_namespace_uid,
1217 condition=cache_on)
1218 condition=cache_on)
1218 def compute_perm_tree(cache_name,
1219 def compute_perm_tree(cache_name,
1219 user_id, scope, user_is_admin,user_inherit_default_permissions,
1220 user_id, scope, user_is_admin,user_inherit_default_permissions,
1220 explicit, algo, calculate_super_admin):
1221 explicit, algo, calculate_super_admin):
1221 return _cached_perms_data(
1222 return _cached_perms_data(
1222 user_id, scope, user_is_admin, user_inherit_default_permissions,
1223 user_id, scope, user_is_admin, user_inherit_default_permissions,
1223 explicit, algo, calculate_super_admin)
1224 explicit, algo, calculate_super_admin)
1224
1225
1225 start = time.time()
1226 start = time.time()
1226 result = compute_perm_tree(
1227 result = compute_perm_tree(
1227 'permissions', user_id, scope, user_is_admin,
1228 'permissions', user_id, scope, user_is_admin,
1228 user_inherit_default_permissions, explicit, algo,
1229 user_inherit_default_permissions, explicit, algo,
1229 calculate_super_admin)
1230 calculate_super_admin)
1230
1231
1231 result_repr = []
1232 result_repr = []
1232 for k in result:
1233 for k in result:
1233 result_repr.append((k, len(result[k])))
1234 result_repr.append((k, len(result[k])))
1234 total = time.time() - start
1235 total = time.time() - start
1235 log.debug('PERMISSION tree for user %s computed in %.3fs: %s',
1236 log.debug('PERMISSION tree for user %s computed in %.3fs: %s',
1236 user, total, result_repr)
1237 user, total, result_repr)
1237
1238
1238 return result
1239 return result
1239
1240
1240 @property
1241 @property
1241 def is_default(self):
1242 def is_default(self):
1242 return self.username == User.DEFAULT_USER
1243 return self.username == User.DEFAULT_USER
1243
1244
1244 @property
1245 @property
1245 def is_admin(self):
1246 def is_admin(self):
1246 return self.admin
1247 return self.admin
1247
1248
1248 @property
1249 @property
1249 def is_user_object(self):
1250 def is_user_object(self):
1250 return self.user_id is not None
1251 return self.user_id is not None
1251
1252
1252 @property
1253 @property
1253 def repositories_admin(self):
1254 def repositories_admin(self):
1254 """
1255 """
1255 Returns list of repositories you're an admin of
1256 Returns list of repositories you're an admin of
1256 """
1257 """
1257 return [
1258 return [
1258 x[0] for x in self.permissions['repositories'].items()
1259 x[0] for x in self.permissions['repositories'].items()
1259 if x[1] == 'repository.admin']
1260 if x[1] == 'repository.admin']
1260
1261
1261 @property
1262 @property
1262 def repository_groups_admin(self):
1263 def repository_groups_admin(self):
1263 """
1264 """
1264 Returns list of repository groups you're an admin of
1265 Returns list of repository groups you're an admin of
1265 """
1266 """
1266 return [
1267 return [
1267 x[0] for x in self.permissions['repositories_groups'].items()
1268 x[0] for x in self.permissions['repositories_groups'].items()
1268 if x[1] == 'group.admin']
1269 if x[1] == 'group.admin']
1269
1270
1270 @property
1271 @property
1271 def user_groups_admin(self):
1272 def user_groups_admin(self):
1272 """
1273 """
1273 Returns list of user groups you're an admin of
1274 Returns list of user groups you're an admin of
1274 """
1275 """
1275 return [
1276 return [
1276 x[0] for x in self.permissions['user_groups'].items()
1277 x[0] for x in self.permissions['user_groups'].items()
1277 if x[1] == 'usergroup.admin']
1278 if x[1] == 'usergroup.admin']
1278
1279
1279 def repo_acl_ids(self, perms=None, name_filter=None, cache=False):
1280 def repo_acl_ids(self, perms=None, name_filter=None, cache=False):
1280 """
1281 """
1281 Returns list of repository ids that user have access to based on given
1282 Returns list of repository ids that user have access to based on given
1282 perms. The cache flag should be only used in cases that are used for
1283 perms. The cache flag should be only used in cases that are used for
1283 display purposes, NOT IN ANY CASE for permission checks.
1284 display purposes, NOT IN ANY CASE for permission checks.
1284 """
1285 """
1285 from rhodecode.model.scm import RepoList
1286 from rhodecode.model.scm import RepoList
1286 if not perms:
1287 if not perms:
1287 perms = [
1288 perms = [
1288 'repository.read', 'repository.write', 'repository.admin']
1289 'repository.read', 'repository.write', 'repository.admin']
1289
1290
1290 def _cached_repo_acl(user_id, perm_def, _name_filter):
1291 def _cached_repo_acl(user_id, perm_def, _name_filter):
1291 qry = Repository.query()
1292 qry = Repository.query()
1292 if _name_filter:
1293 if _name_filter:
1293 ilike_expression = u'%{}%'.format(safe_unicode(_name_filter))
1294 ilike_expression = u'%{}%'.format(safe_unicode(_name_filter))
1294 qry = qry.filter(
1295 qry = qry.filter(
1295 Repository.repo_name.ilike(ilike_expression))
1296 Repository.repo_name.ilike(ilike_expression))
1296
1297
1297 return [x.repo_id for x in
1298 return [x.repo_id for x in
1298 RepoList(qry, perm_set=perm_def)]
1299 RepoList(qry, perm_set=perm_def)]
1299
1300
1300 return _cached_repo_acl(self.user_id, perms, name_filter)
1301 return _cached_repo_acl(self.user_id, perms, name_filter)
1301
1302
1302 def repo_group_acl_ids(self, perms=None, name_filter=None, cache=False):
1303 def repo_group_acl_ids(self, perms=None, name_filter=None, cache=False):
1303 """
1304 """
1304 Returns list of repository group ids that user have access to based on given
1305 Returns list of repository group ids that user have access to based on given
1305 perms. The cache flag should be only used in cases that are used for
1306 perms. The cache flag should be only used in cases that are used for
1306 display purposes, NOT IN ANY CASE for permission checks.
1307 display purposes, NOT IN ANY CASE for permission checks.
1307 """
1308 """
1308 from rhodecode.model.scm import RepoGroupList
1309 from rhodecode.model.scm import RepoGroupList
1309 if not perms:
1310 if not perms:
1310 perms = [
1311 perms = [
1311 'group.read', 'group.write', 'group.admin']
1312 'group.read', 'group.write', 'group.admin']
1312
1313
1313 def _cached_repo_group_acl(user_id, perm_def, _name_filter):
1314 def _cached_repo_group_acl(user_id, perm_def, _name_filter):
1314 qry = RepoGroup.query()
1315 qry = RepoGroup.query()
1315 if _name_filter:
1316 if _name_filter:
1316 ilike_expression = u'%{}%'.format(safe_unicode(_name_filter))
1317 ilike_expression = u'%{}%'.format(safe_unicode(_name_filter))
1317 qry = qry.filter(
1318 qry = qry.filter(
1318 RepoGroup.group_name.ilike(ilike_expression))
1319 RepoGroup.group_name.ilike(ilike_expression))
1319
1320
1320 return [x.group_id for x in
1321 return [x.group_id for x in
1321 RepoGroupList(qry, perm_set=perm_def)]
1322 RepoGroupList(qry, perm_set=perm_def)]
1322
1323
1323 return _cached_repo_group_acl(self.user_id, perms, name_filter)
1324 return _cached_repo_group_acl(self.user_id, perms, name_filter)
1324
1325
1325 def user_group_acl_ids(self, perms=None, name_filter=None, cache=False):
1326 def user_group_acl_ids(self, perms=None, name_filter=None, cache=False):
1326 """
1327 """
1327 Returns list of user group ids that user have access to based on given
1328 Returns list of user group ids that user have access to based on given
1328 perms. The cache flag should be only used in cases that are used for
1329 perms. The cache flag should be only used in cases that are used for
1329 display purposes, NOT IN ANY CASE for permission checks.
1330 display purposes, NOT IN ANY CASE for permission checks.
1330 """
1331 """
1331 from rhodecode.model.scm import UserGroupList
1332 from rhodecode.model.scm import UserGroupList
1332 if not perms:
1333 if not perms:
1333 perms = [
1334 perms = [
1334 'usergroup.read', 'usergroup.write', 'usergroup.admin']
1335 'usergroup.read', 'usergroup.write', 'usergroup.admin']
1335
1336
1336 def _cached_user_group_acl(user_id, perm_def, name_filter):
1337 def _cached_user_group_acl(user_id, perm_def, name_filter):
1337 qry = UserGroup.query()
1338 qry = UserGroup.query()
1338 if name_filter:
1339 if name_filter:
1339 ilike_expression = u'%{}%'.format(safe_unicode(name_filter))
1340 ilike_expression = u'%{}%'.format(safe_unicode(name_filter))
1340 qry = qry.filter(
1341 qry = qry.filter(
1341 UserGroup.users_group_name.ilike(ilike_expression))
1342 UserGroup.users_group_name.ilike(ilike_expression))
1342
1343
1343 return [x.users_group_id for x in
1344 return [x.users_group_id for x in
1344 UserGroupList(qry, perm_set=perm_def)]
1345 UserGroupList(qry, perm_set=perm_def)]
1345
1346
1346 return _cached_user_group_acl(self.user_id, perms, name_filter)
1347 return _cached_user_group_acl(self.user_id, perms, name_filter)
1347
1348
1348 @property
1349 @property
1349 def ip_allowed(self):
1350 def ip_allowed(self):
1350 """
1351 """
1351 Checks if ip_addr used in constructor is allowed from defined list of
1352 Checks if ip_addr used in constructor is allowed from defined list of
1352 allowed ip_addresses for user
1353 allowed ip_addresses for user
1353
1354
1354 :returns: boolean, True if ip is in allowed ip range
1355 :returns: boolean, True if ip is in allowed ip range
1355 """
1356 """
1356 # check IP
1357 # check IP
1357 inherit = self.inherit_default_permissions
1358 inherit = self.inherit_default_permissions
1358 return AuthUser.check_ip_allowed(self.user_id, self.ip_addr,
1359 return AuthUser.check_ip_allowed(self.user_id, self.ip_addr,
1359 inherit_from_default=inherit)
1360 inherit_from_default=inherit)
1360 @property
1361 @property
1361 def personal_repo_group(self):
1362 def personal_repo_group(self):
1362 return RepoGroup.get_user_personal_repo_group(self.user_id)
1363 return RepoGroup.get_user_personal_repo_group(self.user_id)
1363
1364
1364 @LazyProperty
1365 @LazyProperty
1365 def feed_token(self):
1366 def feed_token(self):
1366 return self.get_instance().feed_token
1367 return self.get_instance().feed_token
1367
1368
1368 @classmethod
1369 @classmethod
1369 def check_ip_allowed(cls, user_id, ip_addr, inherit_from_default):
1370 def check_ip_allowed(cls, user_id, ip_addr, inherit_from_default):
1370 allowed_ips = AuthUser.get_allowed_ips(
1371 allowed_ips = AuthUser.get_allowed_ips(
1371 user_id, cache=True, inherit_from_default=inherit_from_default)
1372 user_id, cache=True, inherit_from_default=inherit_from_default)
1372 if check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips):
1373 if check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips):
1373 log.debug('IP:%s for user %s is in range of %s',
1374 log.debug('IP:%s for user %s is in range of %s',
1374 ip_addr, user_id, allowed_ips)
1375 ip_addr, user_id, allowed_ips)
1375 return True
1376 return True
1376 else:
1377 else:
1377 log.info('Access for IP:%s forbidden for user %s, '
1378 log.info('Access for IP:%s forbidden for user %s, '
1378 'not in %s', ip_addr, user_id, allowed_ips)
1379 'not in %s', ip_addr, user_id, allowed_ips)
1379 return False
1380 return False
1380
1381
1381 def get_branch_permissions(self, repo_name, perms=None):
1382 def get_branch_permissions(self, repo_name, perms=None):
1382 perms = perms or self.permissions_with_scope({'repo_name': repo_name})
1383 perms = perms or self.permissions_with_scope({'repo_name': repo_name})
1383 branch_perms = perms.get('repository_branches', {})
1384 branch_perms = perms.get('repository_branches', {})
1384 if not branch_perms:
1385 if not branch_perms:
1385 return {}
1386 return {}
1386 repo_branch_perms = branch_perms.get(repo_name)
1387 repo_branch_perms = branch_perms.get(repo_name)
1387 return repo_branch_perms or {}
1388 return repo_branch_perms or {}
1388
1389
1389 def get_rule_and_branch_permission(self, repo_name, branch_name):
1390 def get_rule_and_branch_permission(self, repo_name, branch_name):
1390 """
1391 """
1391 Check if this AuthUser has defined any permissions for branches. If any of
1392 Check if this AuthUser has defined any permissions for branches. If any of
1392 the rules match in order, we return the matching permissions
1393 the rules match in order, we return the matching permissions
1393 """
1394 """
1394
1395
1395 rule = default_perm = ''
1396 rule = default_perm = ''
1396
1397
1397 repo_branch_perms = self.get_branch_permissions(repo_name=repo_name)
1398 repo_branch_perms = self.get_branch_permissions(repo_name=repo_name)
1398 if not repo_branch_perms:
1399 if not repo_branch_perms:
1399 return rule, default_perm
1400 return rule, default_perm
1400
1401
1401 # now calculate the permissions
1402 # now calculate the permissions
1402 for pattern, branch_perm in repo_branch_perms.items():
1403 for pattern, branch_perm in repo_branch_perms.items():
1403 if fnmatch.fnmatch(branch_name, pattern):
1404 if fnmatch.fnmatch(branch_name, pattern):
1404 rule = '`{}`=>{}'.format(pattern, branch_perm)
1405 rule = '`{}`=>{}'.format(pattern, branch_perm)
1405 return rule, branch_perm
1406 return rule, branch_perm
1406
1407
1407 return rule, default_perm
1408 return rule, default_perm
1408
1409
1409 def __repr__(self):
1410 def __repr__(self):
1410 return "<AuthUser('id:%s[%s] ip:%s auth:%s')>"\
1411 return "<AuthUser('id:%s[%s] ip:%s auth:%s')>"\
1411 % (self.user_id, self.username, self.ip_addr, self.is_authenticated)
1412 % (self.user_id, self.username, self.ip_addr, self.is_authenticated)
1412
1413
1413 def set_authenticated(self, authenticated=True):
1414 def set_authenticated(self, authenticated=True):
1414 if self.user_id != self.anonymous_user.user_id:
1415 if self.user_id != self.anonymous_user.user_id:
1415 self.is_authenticated = authenticated
1416 self.is_authenticated = authenticated
1416
1417
1417 def get_cookie_store(self):
1418 def get_cookie_store(self):
1418 return {
1419 return {
1419 'username': self.username,
1420 'username': self.username,
1420 'password': md5(self.password or ''),
1421 'password': md5(self.password or ''),
1421 'user_id': self.user_id,
1422 'user_id': self.user_id,
1422 'is_authenticated': self.is_authenticated
1423 'is_authenticated': self.is_authenticated
1423 }
1424 }
1424
1425
1425 @classmethod
1426 @classmethod
1426 def from_cookie_store(cls, cookie_store):
1427 def from_cookie_store(cls, cookie_store):
1427 """
1428 """
1428 Creates AuthUser from a cookie store
1429 Creates AuthUser from a cookie store
1429
1430
1430 :param cls:
1431 :param cls:
1431 :param cookie_store:
1432 :param cookie_store:
1432 """
1433 """
1433 user_id = cookie_store.get('user_id')
1434 user_id = cookie_store.get('user_id')
1434 username = cookie_store.get('username')
1435 username = cookie_store.get('username')
1435 api_key = cookie_store.get('api_key')
1436 api_key = cookie_store.get('api_key')
1436 return AuthUser(user_id, api_key, username)
1437 return AuthUser(user_id, api_key, username)
1437
1438
1438 @classmethod
1439 @classmethod
1439 def get_allowed_ips(cls, user_id, cache=False, inherit_from_default=False):
1440 def get_allowed_ips(cls, user_id, cache=False, inherit_from_default=False):
1440 _set = set()
1441 _set = set()
1441
1442
1442 if inherit_from_default:
1443 if inherit_from_default:
1443 def_user_id = User.get_default_user(cache=True).user_id
1444 def_user_id = User.get_default_user(cache=True).user_id
1444 default_ips = UserIpMap.query().filter(UserIpMap.user_id == def_user_id)
1445 default_ips = UserIpMap.query().filter(UserIpMap.user_id == def_user_id)
1445 if cache:
1446 if cache:
1446 default_ips = default_ips.options(
1447 default_ips = default_ips.options(
1447 FromCache("sql_cache_short", "get_user_ips_default"))
1448 FromCache("sql_cache_short", "get_user_ips_default"))
1448
1449
1449 # populate from default user
1450 # populate from default user
1450 for ip in default_ips:
1451 for ip in default_ips:
1451 try:
1452 try:
1452 _set.add(ip.ip_addr)
1453 _set.add(ip.ip_addr)
1453 except ObjectDeletedError:
1454 except ObjectDeletedError:
1454 # since we use heavy caching sometimes it happens that
1455 # since we use heavy caching sometimes it happens that
1455 # we get deleted objects here, we just skip them
1456 # we get deleted objects here, we just skip them
1456 pass
1457 pass
1457
1458
1458 # NOTE:(marcink) we don't want to load any rules for empty
1459 # NOTE:(marcink) we don't want to load any rules for empty
1459 # user_id which is the case of access of non logged users when anonymous
1460 # user_id which is the case of access of non logged users when anonymous
1460 # access is disabled
1461 # access is disabled
1461 user_ips = []
1462 user_ips = []
1462 if user_id:
1463 if user_id:
1463 user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id)
1464 user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id)
1464 if cache:
1465 if cache:
1465 user_ips = user_ips.options(
1466 user_ips = user_ips.options(
1466 FromCache("sql_cache_short", "get_user_ips_%s" % user_id))
1467 FromCache("sql_cache_short", "get_user_ips_%s" % user_id))
1467
1468
1468 for ip in user_ips:
1469 for ip in user_ips:
1469 try:
1470 try:
1470 _set.add(ip.ip_addr)
1471 _set.add(ip.ip_addr)
1471 except ObjectDeletedError:
1472 except ObjectDeletedError:
1472 # since we use heavy caching sometimes it happens that we get
1473 # since we use heavy caching sometimes it happens that we get
1473 # deleted objects here, we just skip them
1474 # deleted objects here, we just skip them
1474 pass
1475 pass
1475 return _set or {ip for ip in ['0.0.0.0/0', '::/0']}
1476 return _set or {ip for ip in ['0.0.0.0/0', '::/0']}
1476
1477
1477
1478
1478 def set_available_permissions(settings):
1479 def set_available_permissions(settings):
1479 """
1480 """
1480 This function will propagate pyramid settings with all available defined
1481 This function will propagate pyramid settings with all available defined
1481 permission given in db. We don't want to check each time from db for new
1482 permission given in db. We don't want to check each time from db for new
1482 permissions since adding a new permission also requires application restart
1483 permissions since adding a new permission also requires application restart
1483 ie. to decorate new views with the newly created permission
1484 ie. to decorate new views with the newly created permission
1484
1485
1485 :param settings: current pyramid registry.settings
1486 :param settings: current pyramid registry.settings
1486
1487
1487 """
1488 """
1488 log.debug('auth: getting information about all available permissions')
1489 log.debug('auth: getting information about all available permissions')
1489 try:
1490 try:
1490 sa = meta.Session
1491 sa = meta.Session
1491 all_perms = sa.query(Permission).all()
1492 all_perms = sa.query(Permission).all()
1492 settings.setdefault('available_permissions',
1493 settings.setdefault('available_permissions',
1493 [x.permission_name for x in all_perms])
1494 [x.permission_name for x in all_perms])
1494 log.debug('auth: set available permissions')
1495 log.debug('auth: set available permissions')
1495 except Exception:
1496 except Exception:
1496 log.exception('Failed to fetch permissions from the database.')
1497 log.exception('Failed to fetch permissions from the database.')
1497 raise
1498 raise
1498
1499
1499
1500
1500 def get_csrf_token(session, force_new=False, save_if_missing=True):
1501 def get_csrf_token(session, force_new=False, save_if_missing=True):
1501 """
1502 """
1502 Return the current authentication token, creating one if one doesn't
1503 Return the current authentication token, creating one if one doesn't
1503 already exist and the save_if_missing flag is present.
1504 already exist and the save_if_missing flag is present.
1504
1505
1505 :param session: pass in the pyramid session, else we use the global ones
1506 :param session: pass in the pyramid session, else we use the global ones
1506 :param force_new: force to re-generate the token and store it in session
1507 :param force_new: force to re-generate the token and store it in session
1507 :param save_if_missing: save the newly generated token if it's missing in
1508 :param save_if_missing: save the newly generated token if it's missing in
1508 session
1509 session
1509 """
1510 """
1510 # NOTE(marcink): probably should be replaced with below one from pyramid 1.9
1511 # NOTE(marcink): probably should be replaced with below one from pyramid 1.9
1511 # from pyramid.csrf import get_csrf_token
1512 # from pyramid.csrf import get_csrf_token
1512
1513
1513 if (csrf_token_key not in session and save_if_missing) or force_new:
1514 if (csrf_token_key not in session and save_if_missing) or force_new:
1514 token = hashlib.sha1(str(random.getrandbits(128))).hexdigest()
1515 token = hashlib.sha1(str(random.getrandbits(128))).hexdigest()
1515 session[csrf_token_key] = token
1516 session[csrf_token_key] = token
1516 if hasattr(session, 'save'):
1517 if hasattr(session, 'save'):
1517 session.save()
1518 session.save()
1518 return session.get(csrf_token_key)
1519 return session.get(csrf_token_key)
1519
1520
1520
1521
1521 def get_request(perm_class_instance):
1522 def get_request(perm_class_instance):
1522 from pyramid.threadlocal import get_current_request
1523 from pyramid.threadlocal import get_current_request
1523 pyramid_request = get_current_request()
1524 pyramid_request = get_current_request()
1524 return pyramid_request
1525 return pyramid_request
1525
1526
1526
1527
1527 # CHECK DECORATORS
1528 # CHECK DECORATORS
1528 class CSRFRequired(object):
1529 class CSRFRequired(object):
1529 """
1530 """
1530 Decorator for authenticating a form
1531 Decorator for authenticating a form
1531
1532
1532 This decorator uses an authorization token stored in the client's
1533 This decorator uses an authorization token stored in the client's
1533 session for prevention of certain Cross-site request forgery (CSRF)
1534 session for prevention of certain Cross-site request forgery (CSRF)
1534 attacks (See
1535 attacks (See
1535 http://en.wikipedia.org/wiki/Cross-site_request_forgery for more
1536 http://en.wikipedia.org/wiki/Cross-site_request_forgery for more
1536 information).
1537 information).
1537
1538
1538 For use with the ``webhelpers.secure_form`` helper functions.
1539 For use with the ``webhelpers.secure_form`` helper functions.
1539
1540
1540 """
1541 """
1541 def __init__(self, token=csrf_token_key, header='X-CSRF-Token',
1542 def __init__(self, token=csrf_token_key, header='X-CSRF-Token',
1542 except_methods=None):
1543 except_methods=None):
1543 self.token = token
1544 self.token = token
1544 self.header = header
1545 self.header = header
1545 self.except_methods = except_methods or []
1546 self.except_methods = except_methods or []
1546
1547
1547 def __call__(self, func):
1548 def __call__(self, func):
1548 return get_cython_compat_decorator(self.__wrapper, func)
1549 return get_cython_compat_decorator(self.__wrapper, func)
1549
1550
1550 def _get_csrf(self, _request):
1551 def _get_csrf(self, _request):
1551 return _request.POST.get(self.token, _request.headers.get(self.header))
1552 return _request.POST.get(self.token, _request.headers.get(self.header))
1552
1553
1553 def check_csrf(self, _request, cur_token):
1554 def check_csrf(self, _request, cur_token):
1554 supplied_token = self._get_csrf(_request)
1555 supplied_token = self._get_csrf(_request)
1555 return supplied_token and supplied_token == cur_token
1556 return supplied_token and supplied_token == cur_token
1556
1557
1557 def _get_request(self):
1558 def _get_request(self):
1558 return get_request(self)
1559 return get_request(self)
1559
1560
1560 def __wrapper(self, func, *fargs, **fkwargs):
1561 def __wrapper(self, func, *fargs, **fkwargs):
1561 request = self._get_request()
1562 request = self._get_request()
1562
1563
1563 if request.method in self.except_methods:
1564 if request.method in self.except_methods:
1564 return func(*fargs, **fkwargs)
1565 return func(*fargs, **fkwargs)
1565
1566
1566 cur_token = get_csrf_token(request.session, save_if_missing=False)
1567 cur_token = get_csrf_token(request.session, save_if_missing=False)
1567 if self.check_csrf(request, cur_token):
1568 if self.check_csrf(request, cur_token):
1568 if request.POST.get(self.token):
1569 if request.POST.get(self.token):
1569 del request.POST[self.token]
1570 del request.POST[self.token]
1570 return func(*fargs, **fkwargs)
1571 return func(*fargs, **fkwargs)
1571 else:
1572 else:
1572 reason = 'token-missing'
1573 reason = 'token-missing'
1573 supplied_token = self._get_csrf(request)
1574 supplied_token = self._get_csrf(request)
1574 if supplied_token and cur_token != supplied_token:
1575 if supplied_token and cur_token != supplied_token:
1575 reason = 'token-mismatch [%s:%s]' % (
1576 reason = 'token-mismatch [%s:%s]' % (
1576 cur_token or ''[:6], supplied_token or ''[:6])
1577 cur_token or ''[:6], supplied_token or ''[:6])
1577
1578
1578 csrf_message = \
1579 csrf_message = \
1579 ("Cross-site request forgery detected, request denied. See "
1580 ("Cross-site request forgery detected, request denied. See "
1580 "http://en.wikipedia.org/wiki/Cross-site_request_forgery for "
1581 "http://en.wikipedia.org/wiki/Cross-site_request_forgery for "
1581 "more information.")
1582 "more information.")
1582 log.warn('Cross-site request forgery detected, request %r DENIED: %s '
1583 log.warn('Cross-site request forgery detected, request %r DENIED: %s '
1583 'REMOTE_ADDR:%s, HEADERS:%s' % (
1584 'REMOTE_ADDR:%s, HEADERS:%s' % (
1584 request, reason, request.remote_addr, request.headers))
1585 request, reason, request.remote_addr, request.headers))
1585
1586
1586 raise HTTPForbidden(explanation=csrf_message)
1587 raise HTTPForbidden(explanation=csrf_message)
1587
1588
1588
1589
1589 class LoginRequired(object):
1590 class LoginRequired(object):
1590 """
1591 """
1591 Must be logged in to execute this function else
1592 Must be logged in to execute this function else
1592 redirect to login page
1593 redirect to login page
1593
1594
1594 :param api_access: if enabled this checks only for valid auth token
1595 :param api_access: if enabled this checks only for valid auth token
1595 and grants access based on valid token
1596 and grants access based on valid token
1596 """
1597 """
1597 def __init__(self, auth_token_access=None):
1598 def __init__(self, auth_token_access=None):
1598 self.auth_token_access = auth_token_access
1599 self.auth_token_access = auth_token_access
1599
1600
1600 def __call__(self, func):
1601 def __call__(self, func):
1601 return get_cython_compat_decorator(self.__wrapper, func)
1602 return get_cython_compat_decorator(self.__wrapper, func)
1602
1603
1603 def _get_request(self):
1604 def _get_request(self):
1604 return get_request(self)
1605 return get_request(self)
1605
1606
1606 def __wrapper(self, func, *fargs, **fkwargs):
1607 def __wrapper(self, func, *fargs, **fkwargs):
1607 from rhodecode.lib import helpers as h
1608 from rhodecode.lib import helpers as h
1608 cls = fargs[0]
1609 cls = fargs[0]
1609 user = cls._rhodecode_user
1610 user = cls._rhodecode_user
1610 request = self._get_request()
1611 request = self._get_request()
1611 _ = request.translate
1612 _ = request.translate
1612
1613
1613 loc = "%s:%s" % (cls.__class__.__name__, func.__name__)
1614 loc = "%s:%s" % (cls.__class__.__name__, func.__name__)
1614 log.debug('Starting login restriction checks for user: %s', user)
1615 log.debug('Starting login restriction checks for user: %s', user)
1615 # check if our IP is allowed
1616 # check if our IP is allowed
1616 ip_access_valid = True
1617 ip_access_valid = True
1617 if not user.ip_allowed:
1618 if not user.ip_allowed:
1618 h.flash(h.literal(_('IP %s not allowed' % (user.ip_addr,))),
1619 h.flash(h.literal(_('IP %s not allowed' % (user.ip_addr,))),
1619 category='warning')
1620 category='warning')
1620 ip_access_valid = False
1621 ip_access_valid = False
1621
1622
1622 # check if we used an APIKEY and it's a valid one
1623 # check if we used an APIKEY and it's a valid one
1623 # defined white-list of controllers which API access will be enabled
1624 # defined white-list of controllers which API access will be enabled
1624 _auth_token = request.GET.get(
1625 _auth_token = request.GET.get(
1625 'auth_token', '') or request.GET.get('api_key', '')
1626 'auth_token', '') or request.GET.get('api_key', '')
1626 auth_token_access_valid = allowed_auth_token_access(
1627 auth_token_access_valid = allowed_auth_token_access(
1627 loc, auth_token=_auth_token)
1628 loc, auth_token=_auth_token)
1628
1629
1629 # explicit controller is enabled or API is in our whitelist
1630 # explicit controller is enabled or API is in our whitelist
1630 if self.auth_token_access or auth_token_access_valid:
1631 if self.auth_token_access or auth_token_access_valid:
1631 log.debug('Checking AUTH TOKEN access for %s', cls)
1632 log.debug('Checking AUTH TOKEN access for %s', cls)
1632 db_user = user.get_instance()
1633 db_user = user.get_instance()
1633
1634
1634 if db_user:
1635 if db_user:
1635 if self.auth_token_access:
1636 if self.auth_token_access:
1636 roles = self.auth_token_access
1637 roles = self.auth_token_access
1637 else:
1638 else:
1638 roles = [UserApiKeys.ROLE_HTTP]
1639 roles = [UserApiKeys.ROLE_HTTP]
1639 token_match = db_user.authenticate_by_token(
1640 token_match = db_user.authenticate_by_token(
1640 _auth_token, roles=roles)
1641 _auth_token, roles=roles)
1641 else:
1642 else:
1642 log.debug('Unable to fetch db instance for auth user: %s', user)
1643 log.debug('Unable to fetch db instance for auth user: %s', user)
1643 token_match = False
1644 token_match = False
1644
1645
1645 if _auth_token and token_match:
1646 if _auth_token and token_match:
1646 auth_token_access_valid = True
1647 auth_token_access_valid = True
1647 log.debug('AUTH TOKEN ****%s is VALID', _auth_token[-4:])
1648 log.debug('AUTH TOKEN ****%s is VALID', _auth_token[-4:])
1648 else:
1649 else:
1649 auth_token_access_valid = False
1650 auth_token_access_valid = False
1650 if not _auth_token:
1651 if not _auth_token:
1651 log.debug("AUTH TOKEN *NOT* present in request")
1652 log.debug("AUTH TOKEN *NOT* present in request")
1652 else:
1653 else:
1653 log.warning("AUTH TOKEN ****%s *NOT* valid", _auth_token[-4:])
1654 log.warning("AUTH TOKEN ****%s *NOT* valid", _auth_token[-4:])
1654
1655
1655 log.debug('Checking if %s is authenticated @ %s', user.username, loc)
1656 log.debug('Checking if %s is authenticated @ %s', user.username, loc)
1656 reason = 'RHODECODE_AUTH' if user.is_authenticated \
1657 reason = 'RHODECODE_AUTH' if user.is_authenticated \
1657 else 'AUTH_TOKEN_AUTH'
1658 else 'AUTH_TOKEN_AUTH'
1658
1659
1659 if ip_access_valid and (
1660 if ip_access_valid and (
1660 user.is_authenticated or auth_token_access_valid):
1661 user.is_authenticated or auth_token_access_valid):
1661 log.info('user %s authenticating with:%s IS authenticated on func %s',
1662 log.info('user %s authenticating with:%s IS authenticated on func %s',
1662 user, reason, loc)
1663 user, reason, loc)
1663
1664
1664 return func(*fargs, **fkwargs)
1665 return func(*fargs, **fkwargs)
1665 else:
1666 else:
1666 log.warning(
1667 log.warning(
1667 'user %s authenticating with:%s NOT authenticated on '
1668 'user %s authenticating with:%s NOT authenticated on '
1668 'func: %s: IP_ACCESS:%s AUTH_TOKEN_ACCESS:%s',
1669 'func: %s: IP_ACCESS:%s AUTH_TOKEN_ACCESS:%s',
1669 user, reason, loc, ip_access_valid, auth_token_access_valid)
1670 user, reason, loc, ip_access_valid, auth_token_access_valid)
1670 # we preserve the get PARAM
1671 # we preserve the get PARAM
1671 came_from = get_came_from(request)
1672 came_from = get_came_from(request)
1672
1673
1673 log.debug('redirecting to login page with %s', came_from)
1674 log.debug('redirecting to login page with %s', came_from)
1674 raise HTTPFound(
1675 raise HTTPFound(
1675 h.route_path('login', _query={'came_from': came_from}))
1676 h.route_path('login', _query={'came_from': came_from}))
1676
1677
1677
1678
1678 class NotAnonymous(object):
1679 class NotAnonymous(object):
1679 """
1680 """
1680 Must be logged in to execute this function else
1681 Must be logged in to execute this function else
1681 redirect to login page
1682 redirect to login page
1682 """
1683 """
1683
1684
1684 def __call__(self, func):
1685 def __call__(self, func):
1685 return get_cython_compat_decorator(self.__wrapper, func)
1686 return get_cython_compat_decorator(self.__wrapper, func)
1686
1687
1687 def _get_request(self):
1688 def _get_request(self):
1688 return get_request(self)
1689 return get_request(self)
1689
1690
1690 def __wrapper(self, func, *fargs, **fkwargs):
1691 def __wrapper(self, func, *fargs, **fkwargs):
1691 import rhodecode.lib.helpers as h
1692 import rhodecode.lib.helpers as h
1692 cls = fargs[0]
1693 cls = fargs[0]
1693 self.user = cls._rhodecode_user
1694 self.user = cls._rhodecode_user
1694 request = self._get_request()
1695 request = self._get_request()
1695 _ = request.translate
1696 _ = request.translate
1696 log.debug('Checking if user is not anonymous @%s', cls)
1697 log.debug('Checking if user is not anonymous @%s', cls)
1697
1698
1698 anonymous = self.user.username == User.DEFAULT_USER
1699 anonymous = self.user.username == User.DEFAULT_USER
1699
1700
1700 if anonymous:
1701 if anonymous:
1701 came_from = get_came_from(request)
1702 came_from = get_came_from(request)
1702 h.flash(_('You need to be a registered user to '
1703 h.flash(_('You need to be a registered user to '
1703 'perform this action'),
1704 'perform this action'),
1704 category='warning')
1705 category='warning')
1705 raise HTTPFound(
1706 raise HTTPFound(
1706 h.route_path('login', _query={'came_from': came_from}))
1707 h.route_path('login', _query={'came_from': came_from}))
1707 else:
1708 else:
1708 return func(*fargs, **fkwargs)
1709 return func(*fargs, **fkwargs)
1709
1710
1710
1711
1711 class PermsDecorator(object):
1712 class PermsDecorator(object):
1712 """
1713 """
1713 Base class for controller decorators, we extract the current user from
1714 Base class for controller decorators, we extract the current user from
1714 the class itself, which has it stored in base controllers
1715 the class itself, which has it stored in base controllers
1715 """
1716 """
1716
1717
1717 def __init__(self, *required_perms):
1718 def __init__(self, *required_perms):
1718 self.required_perms = set(required_perms)
1719 self.required_perms = set(required_perms)
1719
1720
1720 def __call__(self, func):
1721 def __call__(self, func):
1721 return get_cython_compat_decorator(self.__wrapper, func)
1722 return get_cython_compat_decorator(self.__wrapper, func)
1722
1723
1723 def _get_request(self):
1724 def _get_request(self):
1724 return get_request(self)
1725 return get_request(self)
1725
1726
1726 def __wrapper(self, func, *fargs, **fkwargs):
1727 def __wrapper(self, func, *fargs, **fkwargs):
1727 import rhodecode.lib.helpers as h
1728 import rhodecode.lib.helpers as h
1728 cls = fargs[0]
1729 cls = fargs[0]
1729 _user = cls._rhodecode_user
1730 _user = cls._rhodecode_user
1730 request = self._get_request()
1731 request = self._get_request()
1731 _ = request.translate
1732 _ = request.translate
1732
1733
1733 log.debug('checking %s permissions %s for %s %s',
1734 log.debug('checking %s permissions %s for %s %s',
1734 self.__class__.__name__, self.required_perms, cls, _user)
1735 self.__class__.__name__, self.required_perms, cls, _user)
1735
1736
1736 if self.check_permissions(_user):
1737 if self.check_permissions(_user):
1737 log.debug('Permission granted for %s %s', cls, _user)
1738 log.debug('Permission granted for %s %s', cls, _user)
1738 return func(*fargs, **fkwargs)
1739 return func(*fargs, **fkwargs)
1739
1740
1740 else:
1741 else:
1741 log.debug('Permission denied for %s %s', cls, _user)
1742 log.debug('Permission denied for %s %s', cls, _user)
1742 anonymous = _user.username == User.DEFAULT_USER
1743 anonymous = _user.username == User.DEFAULT_USER
1743
1744
1744 if anonymous:
1745 if anonymous:
1745 came_from = get_came_from(self._get_request())
1746 came_from = get_came_from(self._get_request())
1746 h.flash(_('You need to be signed in to view this page'),
1747 h.flash(_('You need to be signed in to view this page'),
1747 category='warning')
1748 category='warning')
1748 raise HTTPFound(
1749 raise HTTPFound(
1749 h.route_path('login', _query={'came_from': came_from}))
1750 h.route_path('login', _query={'came_from': came_from}))
1750
1751
1751 else:
1752 else:
1752 # redirect with 404 to prevent resource discovery
1753 # redirect with 404 to prevent resource discovery
1753 raise HTTPNotFound()
1754 raise HTTPNotFound()
1754
1755
1755 def check_permissions(self, user):
1756 def check_permissions(self, user):
1756 """Dummy function for overriding"""
1757 """Dummy function for overriding"""
1757 raise NotImplementedError(
1758 raise NotImplementedError(
1758 'You have to write this function in child class')
1759 'You have to write this function in child class')
1759
1760
1760
1761
1761 class HasPermissionAllDecorator(PermsDecorator):
1762 class HasPermissionAllDecorator(PermsDecorator):
1762 """
1763 """
1763 Checks for access permission for all given predicates. All of them
1764 Checks for access permission for all given predicates. All of them
1764 have to be meet in order to fulfill the request
1765 have to be meet in order to fulfill the request
1765 """
1766 """
1766
1767
1767 def check_permissions(self, user):
1768 def check_permissions(self, user):
1768 perms = user.permissions_with_scope({})
1769 perms = user.permissions_with_scope({})
1769 if self.required_perms.issubset(perms['global']):
1770 if self.required_perms.issubset(perms['global']):
1770 return True
1771 return True
1771 return False
1772 return False
1772
1773
1773
1774
1774 class HasPermissionAnyDecorator(PermsDecorator):
1775 class HasPermissionAnyDecorator(PermsDecorator):
1775 """
1776 """
1776 Checks for access permission for any of given predicates. In order to
1777 Checks for access permission for any of given predicates. In order to
1777 fulfill the request any of predicates must be meet
1778 fulfill the request any of predicates must be meet
1778 """
1779 """
1779
1780
1780 def check_permissions(self, user):
1781 def check_permissions(self, user):
1781 perms = user.permissions_with_scope({})
1782 perms = user.permissions_with_scope({})
1782 if self.required_perms.intersection(perms['global']):
1783 if self.required_perms.intersection(perms['global']):
1783 return True
1784 return True
1784 return False
1785 return False
1785
1786
1786
1787
1787 class HasRepoPermissionAllDecorator(PermsDecorator):
1788 class HasRepoPermissionAllDecorator(PermsDecorator):
1788 """
1789 """
1789 Checks for access permission for all given predicates for specific
1790 Checks for access permission for all given predicates for specific
1790 repository. All of them have to be meet in order to fulfill the request
1791 repository. All of them have to be meet in order to fulfill the request
1791 """
1792 """
1792 def _get_repo_name(self):
1793 def _get_repo_name(self):
1793 _request = self._get_request()
1794 _request = self._get_request()
1794 return get_repo_slug(_request)
1795 return get_repo_slug(_request)
1795
1796
1796 def check_permissions(self, user):
1797 def check_permissions(self, user):
1797 perms = user.permissions
1798 perms = user.permissions
1798 repo_name = self._get_repo_name()
1799 repo_name = self._get_repo_name()
1799
1800
1800 try:
1801 try:
1801 user_perms = {perms['repositories'][repo_name]}
1802 user_perms = {perms['repositories'][repo_name]}
1802 except KeyError:
1803 except KeyError:
1803 log.debug('cannot locate repo with name: `%s` in permissions defs',
1804 log.debug('cannot locate repo with name: `%s` in permissions defs',
1804 repo_name)
1805 repo_name)
1805 return False
1806 return False
1806
1807
1807 log.debug('checking `%s` permissions for repo `%s`',
1808 log.debug('checking `%s` permissions for repo `%s`',
1808 user_perms, repo_name)
1809 user_perms, repo_name)
1809 if self.required_perms.issubset(user_perms):
1810 if self.required_perms.issubset(user_perms):
1810 return True
1811 return True
1811 return False
1812 return False
1812
1813
1813
1814
1814 class HasRepoPermissionAnyDecorator(PermsDecorator):
1815 class HasRepoPermissionAnyDecorator(PermsDecorator):
1815 """
1816 """
1816 Checks for access permission for any of given predicates for specific
1817 Checks for access permission for any of given predicates for specific
1817 repository. In order to fulfill the request any of predicates must be meet
1818 repository. In order to fulfill the request any of predicates must be meet
1818 """
1819 """
1819 def _get_repo_name(self):
1820 def _get_repo_name(self):
1820 _request = self._get_request()
1821 _request = self._get_request()
1821 return get_repo_slug(_request)
1822 return get_repo_slug(_request)
1822
1823
1823 def check_permissions(self, user):
1824 def check_permissions(self, user):
1824 perms = user.permissions
1825 perms = user.permissions
1825 repo_name = self._get_repo_name()
1826 repo_name = self._get_repo_name()
1826
1827
1827 try:
1828 try:
1828 user_perms = {perms['repositories'][repo_name]}
1829 user_perms = {perms['repositories'][repo_name]}
1829 except KeyError:
1830 except KeyError:
1830 log.debug(
1831 log.debug(
1831 'cannot locate repo with name: `%s` in permissions defs',
1832 'cannot locate repo with name: `%s` in permissions defs',
1832 repo_name)
1833 repo_name)
1833 return False
1834 return False
1834
1835
1835 log.debug('checking `%s` permissions for repo `%s`',
1836 log.debug('checking `%s` permissions for repo `%s`',
1836 user_perms, repo_name)
1837 user_perms, repo_name)
1837 if self.required_perms.intersection(user_perms):
1838 if self.required_perms.intersection(user_perms):
1838 return True
1839 return True
1839 return False
1840 return False
1840
1841
1841
1842
1842 class HasRepoGroupPermissionAllDecorator(PermsDecorator):
1843 class HasRepoGroupPermissionAllDecorator(PermsDecorator):
1843 """
1844 """
1844 Checks for access permission for all given predicates for specific
1845 Checks for access permission for all given predicates for specific
1845 repository group. All of them have to be meet in order to
1846 repository group. All of them have to be meet in order to
1846 fulfill the request
1847 fulfill the request
1847 """
1848 """
1848 def _get_repo_group_name(self):
1849 def _get_repo_group_name(self):
1849 _request = self._get_request()
1850 _request = self._get_request()
1850 return get_repo_group_slug(_request)
1851 return get_repo_group_slug(_request)
1851
1852
1852 def check_permissions(self, user):
1853 def check_permissions(self, user):
1853 perms = user.permissions
1854 perms = user.permissions
1854 group_name = self._get_repo_group_name()
1855 group_name = self._get_repo_group_name()
1855 try:
1856 try:
1856 user_perms = {perms['repositories_groups'][group_name]}
1857 user_perms = {perms['repositories_groups'][group_name]}
1857 except KeyError:
1858 except KeyError:
1858 log.debug(
1859 log.debug(
1859 'cannot locate repo group with name: `%s` in permissions defs',
1860 'cannot locate repo group with name: `%s` in permissions defs',
1860 group_name)
1861 group_name)
1861 return False
1862 return False
1862
1863
1863 log.debug('checking `%s` permissions for repo group `%s`',
1864 log.debug('checking `%s` permissions for repo group `%s`',
1864 user_perms, group_name)
1865 user_perms, group_name)
1865 if self.required_perms.issubset(user_perms):
1866 if self.required_perms.issubset(user_perms):
1866 return True
1867 return True
1867 return False
1868 return False
1868
1869
1869
1870
1870 class HasRepoGroupPermissionAnyDecorator(PermsDecorator):
1871 class HasRepoGroupPermissionAnyDecorator(PermsDecorator):
1871 """
1872 """
1872 Checks for access permission for any of given predicates for specific
1873 Checks for access permission for any of given predicates for specific
1873 repository group. In order to fulfill the request any
1874 repository group. In order to fulfill the request any
1874 of predicates must be met
1875 of predicates must be met
1875 """
1876 """
1876 def _get_repo_group_name(self):
1877 def _get_repo_group_name(self):
1877 _request = self._get_request()
1878 _request = self._get_request()
1878 return get_repo_group_slug(_request)
1879 return get_repo_group_slug(_request)
1879
1880
1880 def check_permissions(self, user):
1881 def check_permissions(self, user):
1881 perms = user.permissions
1882 perms = user.permissions
1882 group_name = self._get_repo_group_name()
1883 group_name = self._get_repo_group_name()
1883
1884
1884 try:
1885 try:
1885 user_perms = {perms['repositories_groups'][group_name]}
1886 user_perms = {perms['repositories_groups'][group_name]}
1886 except KeyError:
1887 except KeyError:
1887 log.debug(
1888 log.debug(
1888 'cannot locate repo group with name: `%s` in permissions defs',
1889 'cannot locate repo group with name: `%s` in permissions defs',
1889 group_name)
1890 group_name)
1890 return False
1891 return False
1891
1892
1892 log.debug('checking `%s` permissions for repo group `%s`',
1893 log.debug('checking `%s` permissions for repo group `%s`',
1893 user_perms, group_name)
1894 user_perms, group_name)
1894 if self.required_perms.intersection(user_perms):
1895 if self.required_perms.intersection(user_perms):
1895 return True
1896 return True
1896 return False
1897 return False
1897
1898
1898
1899
1899 class HasUserGroupPermissionAllDecorator(PermsDecorator):
1900 class HasUserGroupPermissionAllDecorator(PermsDecorator):
1900 """
1901 """
1901 Checks for access permission for all given predicates for specific
1902 Checks for access permission for all given predicates for specific
1902 user group. All of them have to be meet in order to fulfill the request
1903 user group. All of them have to be meet in order to fulfill the request
1903 """
1904 """
1904 def _get_user_group_name(self):
1905 def _get_user_group_name(self):
1905 _request = self._get_request()
1906 _request = self._get_request()
1906 return get_user_group_slug(_request)
1907 return get_user_group_slug(_request)
1907
1908
1908 def check_permissions(self, user):
1909 def check_permissions(self, user):
1909 perms = user.permissions
1910 perms = user.permissions
1910 group_name = self._get_user_group_name()
1911 group_name = self._get_user_group_name()
1911 try:
1912 try:
1912 user_perms = {perms['user_groups'][group_name]}
1913 user_perms = {perms['user_groups'][group_name]}
1913 except KeyError:
1914 except KeyError:
1914 return False
1915 return False
1915
1916
1916 if self.required_perms.issubset(user_perms):
1917 if self.required_perms.issubset(user_perms):
1917 return True
1918 return True
1918 return False
1919 return False
1919
1920
1920
1921
1921 class HasUserGroupPermissionAnyDecorator(PermsDecorator):
1922 class HasUserGroupPermissionAnyDecorator(PermsDecorator):
1922 """
1923 """
1923 Checks for access permission for any of given predicates for specific
1924 Checks for access permission for any of given predicates for specific
1924 user group. In order to fulfill the request any of predicates must be meet
1925 user group. In order to fulfill the request any of predicates must be meet
1925 """
1926 """
1926 def _get_user_group_name(self):
1927 def _get_user_group_name(self):
1927 _request = self._get_request()
1928 _request = self._get_request()
1928 return get_user_group_slug(_request)
1929 return get_user_group_slug(_request)
1929
1930
1930 def check_permissions(self, user):
1931 def check_permissions(self, user):
1931 perms = user.permissions
1932 perms = user.permissions
1932 group_name = self._get_user_group_name()
1933 group_name = self._get_user_group_name()
1933 try:
1934 try:
1934 user_perms = {perms['user_groups'][group_name]}
1935 user_perms = {perms['user_groups'][group_name]}
1935 except KeyError:
1936 except KeyError:
1936 return False
1937 return False
1937
1938
1938 if self.required_perms.intersection(user_perms):
1939 if self.required_perms.intersection(user_perms):
1939 return True
1940 return True
1940 return False
1941 return False
1941
1942
1942
1943
1943 # CHECK FUNCTIONS
1944 # CHECK FUNCTIONS
1944 class PermsFunction(object):
1945 class PermsFunction(object):
1945 """Base function for other check functions"""
1946 """Base function for other check functions"""
1946
1947
1947 def __init__(self, *perms):
1948 def __init__(self, *perms):
1948 self.required_perms = set(perms)
1949 self.required_perms = set(perms)
1949 self.repo_name = None
1950 self.repo_name = None
1950 self.repo_group_name = None
1951 self.repo_group_name = None
1951 self.user_group_name = None
1952 self.user_group_name = None
1952
1953
1953 def __bool__(self):
1954 def __bool__(self):
1954 frame = inspect.currentframe()
1955 frame = inspect.currentframe()
1955 stack_trace = traceback.format_stack(frame)
1956 stack_trace = traceback.format_stack(frame)
1956 log.error('Checking bool value on a class instance of perm '
1957 log.error('Checking bool value on a class instance of perm '
1957 'function is not allowed: %s', ''.join(stack_trace))
1958 'function is not allowed: %s', ''.join(stack_trace))
1958 # rather than throwing errors, here we always return False so if by
1959 # rather than throwing errors, here we always return False so if by
1959 # accident someone checks truth for just an instance it will always end
1960 # accident someone checks truth for just an instance it will always end
1960 # up in returning False
1961 # up in returning False
1961 return False
1962 return False
1962 __nonzero__ = __bool__
1963 __nonzero__ = __bool__
1963
1964
1964 def __call__(self, check_location='', user=None):
1965 def __call__(self, check_location='', user=None):
1965 if not user:
1966 if not user:
1966 log.debug('Using user attribute from global request')
1967 log.debug('Using user attribute from global request')
1967 request = self._get_request()
1968 request = self._get_request()
1968 user = request.user
1969 user = request.user
1969
1970
1970 # init auth user if not already given
1971 # init auth user if not already given
1971 if not isinstance(user, AuthUser):
1972 if not isinstance(user, AuthUser):
1972 log.debug('Wrapping user %s into AuthUser', user)
1973 log.debug('Wrapping user %s into AuthUser', user)
1973 user = AuthUser(user.user_id)
1974 user = AuthUser(user.user_id)
1974
1975
1975 cls_name = self.__class__.__name__
1976 cls_name = self.__class__.__name__
1976 check_scope = self._get_check_scope(cls_name)
1977 check_scope = self._get_check_scope(cls_name)
1977 check_location = check_location or 'unspecified location'
1978 check_location = check_location or 'unspecified location'
1978
1979
1979 log.debug('checking cls:%s %s usr:%s %s @ %s', cls_name,
1980 log.debug('checking cls:%s %s usr:%s %s @ %s', cls_name,
1980 self.required_perms, user, check_scope, check_location)
1981 self.required_perms, user, check_scope, check_location)
1981 if not user:
1982 if not user:
1982 log.warning('Empty user given for permission check')
1983 log.warning('Empty user given for permission check')
1983 return False
1984 return False
1984
1985
1985 if self.check_permissions(user):
1986 if self.check_permissions(user):
1986 log.debug('Permission to repo:`%s` GRANTED for user:`%s` @ %s',
1987 log.debug('Permission to repo:`%s` GRANTED for user:`%s` @ %s',
1987 check_scope, user, check_location)
1988 check_scope, user, check_location)
1988 return True
1989 return True
1989
1990
1990 else:
1991 else:
1991 log.debug('Permission to repo:`%s` DENIED for user:`%s` @ %s',
1992 log.debug('Permission to repo:`%s` DENIED for user:`%s` @ %s',
1992 check_scope, user, check_location)
1993 check_scope, user, check_location)
1993 return False
1994 return False
1994
1995
1995 def _get_request(self):
1996 def _get_request(self):
1996 return get_request(self)
1997 return get_request(self)
1997
1998
1998 def _get_check_scope(self, cls_name):
1999 def _get_check_scope(self, cls_name):
1999 return {
2000 return {
2000 'HasPermissionAll': 'GLOBAL',
2001 'HasPermissionAll': 'GLOBAL',
2001 'HasPermissionAny': 'GLOBAL',
2002 'HasPermissionAny': 'GLOBAL',
2002 'HasRepoPermissionAll': 'repo:%s' % self.repo_name,
2003 'HasRepoPermissionAll': 'repo:%s' % self.repo_name,
2003 'HasRepoPermissionAny': 'repo:%s' % self.repo_name,
2004 'HasRepoPermissionAny': 'repo:%s' % self.repo_name,
2004 'HasRepoGroupPermissionAll': 'repo_group:%s' % self.repo_group_name,
2005 'HasRepoGroupPermissionAll': 'repo_group:%s' % self.repo_group_name,
2005 'HasRepoGroupPermissionAny': 'repo_group:%s' % self.repo_group_name,
2006 'HasRepoGroupPermissionAny': 'repo_group:%s' % self.repo_group_name,
2006 'HasUserGroupPermissionAll': 'user_group:%s' % self.user_group_name,
2007 'HasUserGroupPermissionAll': 'user_group:%s' % self.user_group_name,
2007 'HasUserGroupPermissionAny': 'user_group:%s' % self.user_group_name,
2008 'HasUserGroupPermissionAny': 'user_group:%s' % self.user_group_name,
2008 }.get(cls_name, '?:%s' % cls_name)
2009 }.get(cls_name, '?:%s' % cls_name)
2009
2010
2010 def check_permissions(self, user):
2011 def check_permissions(self, user):
2011 """Dummy function for overriding"""
2012 """Dummy function for overriding"""
2012 raise Exception('You have to write this function in child class')
2013 raise Exception('You have to write this function in child class')
2013
2014
2014
2015
2015 class HasPermissionAll(PermsFunction):
2016 class HasPermissionAll(PermsFunction):
2016 def check_permissions(self, user):
2017 def check_permissions(self, user):
2017 perms = user.permissions_with_scope({})
2018 perms = user.permissions_with_scope({})
2018 if self.required_perms.issubset(perms.get('global')):
2019 if self.required_perms.issubset(perms.get('global')):
2019 return True
2020 return True
2020 return False
2021 return False
2021
2022
2022
2023
2023 class HasPermissionAny(PermsFunction):
2024 class HasPermissionAny(PermsFunction):
2024 def check_permissions(self, user):
2025 def check_permissions(self, user):
2025 perms = user.permissions_with_scope({})
2026 perms = user.permissions_with_scope({})
2026 if self.required_perms.intersection(perms.get('global')):
2027 if self.required_perms.intersection(perms.get('global')):
2027 return True
2028 return True
2028 return False
2029 return False
2029
2030
2030
2031
2031 class HasRepoPermissionAll(PermsFunction):
2032 class HasRepoPermissionAll(PermsFunction):
2032 def __call__(self, repo_name=None, check_location='', user=None):
2033 def __call__(self, repo_name=None, check_location='', user=None):
2033 self.repo_name = repo_name
2034 self.repo_name = repo_name
2034 return super(HasRepoPermissionAll, self).__call__(check_location, user)
2035 return super(HasRepoPermissionAll, self).__call__(check_location, user)
2035
2036
2036 def _get_repo_name(self):
2037 def _get_repo_name(self):
2037 if not self.repo_name:
2038 if not self.repo_name:
2038 _request = self._get_request()
2039 _request = self._get_request()
2039 self.repo_name = get_repo_slug(_request)
2040 self.repo_name = get_repo_slug(_request)
2040 return self.repo_name
2041 return self.repo_name
2041
2042
2042 def check_permissions(self, user):
2043 def check_permissions(self, user):
2043 self.repo_name = self._get_repo_name()
2044 self.repo_name = self._get_repo_name()
2044 perms = user.permissions
2045 perms = user.permissions
2045 try:
2046 try:
2046 user_perms = {perms['repositories'][self.repo_name]}
2047 user_perms = {perms['repositories'][self.repo_name]}
2047 except KeyError:
2048 except KeyError:
2048 return False
2049 return False
2049 if self.required_perms.issubset(user_perms):
2050 if self.required_perms.issubset(user_perms):
2050 return True
2051 return True
2051 return False
2052 return False
2052
2053
2053
2054
2054 class HasRepoPermissionAny(PermsFunction):
2055 class HasRepoPermissionAny(PermsFunction):
2055 def __call__(self, repo_name=None, check_location='', user=None):
2056 def __call__(self, repo_name=None, check_location='', user=None):
2056 self.repo_name = repo_name
2057 self.repo_name = repo_name
2057 return super(HasRepoPermissionAny, self).__call__(check_location, user)
2058 return super(HasRepoPermissionAny, self).__call__(check_location, user)
2058
2059
2059 def _get_repo_name(self):
2060 def _get_repo_name(self):
2060 if not self.repo_name:
2061 if not self.repo_name:
2061 _request = self._get_request()
2062 _request = self._get_request()
2062 self.repo_name = get_repo_slug(_request)
2063 self.repo_name = get_repo_slug(_request)
2063 return self.repo_name
2064 return self.repo_name
2064
2065
2065 def check_permissions(self, user):
2066 def check_permissions(self, user):
2066 self.repo_name = self._get_repo_name()
2067 self.repo_name = self._get_repo_name()
2067 perms = user.permissions
2068 perms = user.permissions
2068 try:
2069 try:
2069 user_perms = {perms['repositories'][self.repo_name]}
2070 user_perms = {perms['repositories'][self.repo_name]}
2070 except KeyError:
2071 except KeyError:
2071 return False
2072 return False
2072 if self.required_perms.intersection(user_perms):
2073 if self.required_perms.intersection(user_perms):
2073 return True
2074 return True
2074 return False
2075 return False
2075
2076
2076
2077
2077 class HasRepoGroupPermissionAny(PermsFunction):
2078 class HasRepoGroupPermissionAny(PermsFunction):
2078 def __call__(self, group_name=None, check_location='', user=None):
2079 def __call__(self, group_name=None, check_location='', user=None):
2079 self.repo_group_name = group_name
2080 self.repo_group_name = group_name
2080 return super(HasRepoGroupPermissionAny, self).__call__(
2081 return super(HasRepoGroupPermissionAny, self).__call__(
2081 check_location, user)
2082 check_location, user)
2082
2083
2083 def check_permissions(self, user):
2084 def check_permissions(self, user):
2084 perms = user.permissions
2085 perms = user.permissions
2085 try:
2086 try:
2086 user_perms = {perms['repositories_groups'][self.repo_group_name]}
2087 user_perms = {perms['repositories_groups'][self.repo_group_name]}
2087 except KeyError:
2088 except KeyError:
2088 return False
2089 return False
2089 if self.required_perms.intersection(user_perms):
2090 if self.required_perms.intersection(user_perms):
2090 return True
2091 return True
2091 return False
2092 return False
2092
2093
2093
2094
2094 class HasRepoGroupPermissionAll(PermsFunction):
2095 class HasRepoGroupPermissionAll(PermsFunction):
2095 def __call__(self, group_name=None, check_location='', user=None):
2096 def __call__(self, group_name=None, check_location='', user=None):
2096 self.repo_group_name = group_name
2097 self.repo_group_name = group_name
2097 return super(HasRepoGroupPermissionAll, self).__call__(
2098 return super(HasRepoGroupPermissionAll, self).__call__(
2098 check_location, user)
2099 check_location, user)
2099
2100
2100 def check_permissions(self, user):
2101 def check_permissions(self, user):
2101 perms = user.permissions
2102 perms = user.permissions
2102 try:
2103 try:
2103 user_perms = {perms['repositories_groups'][self.repo_group_name]}
2104 user_perms = {perms['repositories_groups'][self.repo_group_name]}
2104 except KeyError:
2105 except KeyError:
2105 return False
2106 return False
2106 if self.required_perms.issubset(user_perms):
2107 if self.required_perms.issubset(user_perms):
2107 return True
2108 return True
2108 return False
2109 return False
2109
2110
2110
2111
2111 class HasUserGroupPermissionAny(PermsFunction):
2112 class HasUserGroupPermissionAny(PermsFunction):
2112 def __call__(self, user_group_name=None, check_location='', user=None):
2113 def __call__(self, user_group_name=None, check_location='', user=None):
2113 self.user_group_name = user_group_name
2114 self.user_group_name = user_group_name
2114 return super(HasUserGroupPermissionAny, self).__call__(
2115 return super(HasUserGroupPermissionAny, self).__call__(
2115 check_location, user)
2116 check_location, user)
2116
2117
2117 def check_permissions(self, user):
2118 def check_permissions(self, user):
2118 perms = user.permissions
2119 perms = user.permissions
2119 try:
2120 try:
2120 user_perms = {perms['user_groups'][self.user_group_name]}
2121 user_perms = {perms['user_groups'][self.user_group_name]}
2121 except KeyError:
2122 except KeyError:
2122 return False
2123 return False
2123 if self.required_perms.intersection(user_perms):
2124 if self.required_perms.intersection(user_perms):
2124 return True
2125 return True
2125 return False
2126 return False
2126
2127
2127
2128
2128 class HasUserGroupPermissionAll(PermsFunction):
2129 class HasUserGroupPermissionAll(PermsFunction):
2129 def __call__(self, user_group_name=None, check_location='', user=None):
2130 def __call__(self, user_group_name=None, check_location='', user=None):
2130 self.user_group_name = user_group_name
2131 self.user_group_name = user_group_name
2131 return super(HasUserGroupPermissionAll, self).__call__(
2132 return super(HasUserGroupPermissionAll, self).__call__(
2132 check_location, user)
2133 check_location, user)
2133
2134
2134 def check_permissions(self, user):
2135 def check_permissions(self, user):
2135 perms = user.permissions
2136 perms = user.permissions
2136 try:
2137 try:
2137 user_perms = {perms['user_groups'][self.user_group_name]}
2138 user_perms = {perms['user_groups'][self.user_group_name]}
2138 except KeyError:
2139 except KeyError:
2139 return False
2140 return False
2140 if self.required_perms.issubset(user_perms):
2141 if self.required_perms.issubset(user_perms):
2141 return True
2142 return True
2142 return False
2143 return False
2143
2144
2144
2145
2145 # SPECIAL VERSION TO HANDLE MIDDLEWARE AUTH
2146 # SPECIAL VERSION TO HANDLE MIDDLEWARE AUTH
2146 class HasPermissionAnyMiddleware(object):
2147 class HasPermissionAnyMiddleware(object):
2147 def __init__(self, *perms):
2148 def __init__(self, *perms):
2148 self.required_perms = set(perms)
2149 self.required_perms = set(perms)
2149
2150
2150 def __call__(self, auth_user, repo_name):
2151 def __call__(self, auth_user, repo_name):
2151 # repo_name MUST be unicode, since we handle keys in permission
2152 # repo_name MUST be unicode, since we handle keys in permission
2152 # dict by unicode
2153 # dict by unicode
2153 repo_name = safe_unicode(repo_name)
2154 repo_name = safe_unicode(repo_name)
2154 log.debug(
2155 log.debug(
2155 'Checking VCS protocol permissions %s for user:%s repo:`%s`',
2156 'Checking VCS protocol permissions %s for user:%s repo:`%s`',
2156 self.required_perms, auth_user, repo_name)
2157 self.required_perms, auth_user, repo_name)
2157
2158
2158 if self.check_permissions(auth_user, repo_name):
2159 if self.check_permissions(auth_user, repo_name):
2159 log.debug('Permission to repo:`%s` GRANTED for user:%s @ %s',
2160 log.debug('Permission to repo:`%s` GRANTED for user:%s @ %s',
2160 repo_name, auth_user, 'PermissionMiddleware')
2161 repo_name, auth_user, 'PermissionMiddleware')
2161 return True
2162 return True
2162
2163
2163 else:
2164 else:
2164 log.debug('Permission to repo:`%s` DENIED for user:%s @ %s',
2165 log.debug('Permission to repo:`%s` DENIED for user:%s @ %s',
2165 repo_name, auth_user, 'PermissionMiddleware')
2166 repo_name, auth_user, 'PermissionMiddleware')
2166 return False
2167 return False
2167
2168
2168 def check_permissions(self, user, repo_name):
2169 def check_permissions(self, user, repo_name):
2169 perms = user.permissions_with_scope({'repo_name': repo_name})
2170 perms = user.permissions_with_scope({'repo_name': repo_name})
2170
2171
2171 try:
2172 try:
2172 user_perms = {perms['repositories'][repo_name]}
2173 user_perms = {perms['repositories'][repo_name]}
2173 except Exception:
2174 except Exception:
2174 log.exception('Error while accessing user permissions')
2175 log.exception('Error while accessing user permissions')
2175 return False
2176 return False
2176
2177
2177 if self.required_perms.intersection(user_perms):
2178 if self.required_perms.intersection(user_perms):
2178 return True
2179 return True
2179 return False
2180 return False
2180
2181
2181
2182
2182 # SPECIAL VERSION TO HANDLE API AUTH
2183 # SPECIAL VERSION TO HANDLE API AUTH
2183 class _BaseApiPerm(object):
2184 class _BaseApiPerm(object):
2184 def __init__(self, *perms):
2185 def __init__(self, *perms):
2185 self.required_perms = set(perms)
2186 self.required_perms = set(perms)
2186
2187
2187 def __call__(self, check_location=None, user=None, repo_name=None,
2188 def __call__(self, check_location=None, user=None, repo_name=None,
2188 group_name=None, user_group_name=None):
2189 group_name=None, user_group_name=None):
2189 cls_name = self.__class__.__name__
2190 cls_name = self.__class__.__name__
2190 check_scope = 'global:%s' % (self.required_perms,)
2191 check_scope = 'global:%s' % (self.required_perms,)
2191 if repo_name:
2192 if repo_name:
2192 check_scope += ', repo_name:%s' % (repo_name,)
2193 check_scope += ', repo_name:%s' % (repo_name,)
2193
2194
2194 if group_name:
2195 if group_name:
2195 check_scope += ', repo_group_name:%s' % (group_name,)
2196 check_scope += ', repo_group_name:%s' % (group_name,)
2196
2197
2197 if user_group_name:
2198 if user_group_name:
2198 check_scope += ', user_group_name:%s' % (user_group_name,)
2199 check_scope += ', user_group_name:%s' % (user_group_name,)
2199
2200
2200 log.debug('checking cls:%s %s %s @ %s',
2201 log.debug('checking cls:%s %s %s @ %s',
2201 cls_name, self.required_perms, check_scope, check_location)
2202 cls_name, self.required_perms, check_scope, check_location)
2202 if not user:
2203 if not user:
2203 log.debug('Empty User passed into arguments')
2204 log.debug('Empty User passed into arguments')
2204 return False
2205 return False
2205
2206
2206 # process user
2207 # process user
2207 if not isinstance(user, AuthUser):
2208 if not isinstance(user, AuthUser):
2208 user = AuthUser(user.user_id)
2209 user = AuthUser(user.user_id)
2209 if not check_location:
2210 if not check_location:
2210 check_location = 'unspecified'
2211 check_location = 'unspecified'
2211 if self.check_permissions(user.permissions, repo_name, group_name,
2212 if self.check_permissions(user.permissions, repo_name, group_name,
2212 user_group_name):
2213 user_group_name):
2213 log.debug('Permission to repo:`%s` GRANTED for user:`%s` @ %s',
2214 log.debug('Permission to repo:`%s` GRANTED for user:`%s` @ %s',
2214 check_scope, user, check_location)
2215 check_scope, user, check_location)
2215 return True
2216 return True
2216
2217
2217 else:
2218 else:
2218 log.debug('Permission to repo:`%s` DENIED for user:`%s` @ %s',
2219 log.debug('Permission to repo:`%s` DENIED for user:`%s` @ %s',
2219 check_scope, user, check_location)
2220 check_scope, user, check_location)
2220 return False
2221 return False
2221
2222
2222 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
2223 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
2223 user_group_name=None):
2224 user_group_name=None):
2224 """
2225 """
2225 implement in child class should return True if permissions are ok,
2226 implement in child class should return True if permissions are ok,
2226 False otherwise
2227 False otherwise
2227
2228
2228 :param perm_defs: dict with permission definitions
2229 :param perm_defs: dict with permission definitions
2229 :param repo_name: repo name
2230 :param repo_name: repo name
2230 """
2231 """
2231 raise NotImplementedError()
2232 raise NotImplementedError()
2232
2233
2233
2234
2234 class HasPermissionAllApi(_BaseApiPerm):
2235 class HasPermissionAllApi(_BaseApiPerm):
2235 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
2236 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
2236 user_group_name=None):
2237 user_group_name=None):
2237 if self.required_perms.issubset(perm_defs.get('global')):
2238 if self.required_perms.issubset(perm_defs.get('global')):
2238 return True
2239 return True
2239 return False
2240 return False
2240
2241
2241
2242
2242 class HasPermissionAnyApi(_BaseApiPerm):
2243 class HasPermissionAnyApi(_BaseApiPerm):
2243 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
2244 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
2244 user_group_name=None):
2245 user_group_name=None):
2245 if self.required_perms.intersection(perm_defs.get('global')):
2246 if self.required_perms.intersection(perm_defs.get('global')):
2246 return True
2247 return True
2247 return False
2248 return False
2248
2249
2249
2250
2250 class HasRepoPermissionAllApi(_BaseApiPerm):
2251 class HasRepoPermissionAllApi(_BaseApiPerm):
2251 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
2252 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
2252 user_group_name=None):
2253 user_group_name=None):
2253 try:
2254 try:
2254 _user_perms = {perm_defs['repositories'][repo_name]}
2255 _user_perms = {perm_defs['repositories'][repo_name]}
2255 except KeyError:
2256 except KeyError:
2256 log.warning(traceback.format_exc())
2257 log.warning(traceback.format_exc())
2257 return False
2258 return False
2258 if self.required_perms.issubset(_user_perms):
2259 if self.required_perms.issubset(_user_perms):
2259 return True
2260 return True
2260 return False
2261 return False
2261
2262
2262
2263
2263 class HasRepoPermissionAnyApi(_BaseApiPerm):
2264 class HasRepoPermissionAnyApi(_BaseApiPerm):
2264 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
2265 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
2265 user_group_name=None):
2266 user_group_name=None):
2266 try:
2267 try:
2267 _user_perms = {perm_defs['repositories'][repo_name]}
2268 _user_perms = {perm_defs['repositories'][repo_name]}
2268 except KeyError:
2269 except KeyError:
2269 log.warning(traceback.format_exc())
2270 log.warning(traceback.format_exc())
2270 return False
2271 return False
2271 if self.required_perms.intersection(_user_perms):
2272 if self.required_perms.intersection(_user_perms):
2272 return True
2273 return True
2273 return False
2274 return False
2274
2275
2275
2276
2276 class HasRepoGroupPermissionAnyApi(_BaseApiPerm):
2277 class HasRepoGroupPermissionAnyApi(_BaseApiPerm):
2277 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
2278 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
2278 user_group_name=None):
2279 user_group_name=None):
2279 try:
2280 try:
2280 _user_perms = {perm_defs['repositories_groups'][group_name]}
2281 _user_perms = {perm_defs['repositories_groups'][group_name]}
2281 except KeyError:
2282 except KeyError:
2282 log.warning(traceback.format_exc())
2283 log.warning(traceback.format_exc())
2283 return False
2284 return False
2284 if self.required_perms.intersection(_user_perms):
2285 if self.required_perms.intersection(_user_perms):
2285 return True
2286 return True
2286 return False
2287 return False
2287
2288
2288
2289
2289 class HasRepoGroupPermissionAllApi(_BaseApiPerm):
2290 class HasRepoGroupPermissionAllApi(_BaseApiPerm):
2290 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
2291 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
2291 user_group_name=None):
2292 user_group_name=None):
2292 try:
2293 try:
2293 _user_perms = {perm_defs['repositories_groups'][group_name]}
2294 _user_perms = {perm_defs['repositories_groups'][group_name]}
2294 except KeyError:
2295 except KeyError:
2295 log.warning(traceback.format_exc())
2296 log.warning(traceback.format_exc())
2296 return False
2297 return False
2297 if self.required_perms.issubset(_user_perms):
2298 if self.required_perms.issubset(_user_perms):
2298 return True
2299 return True
2299 return False
2300 return False
2300
2301
2301
2302
2302 class HasUserGroupPermissionAnyApi(_BaseApiPerm):
2303 class HasUserGroupPermissionAnyApi(_BaseApiPerm):
2303 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
2304 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
2304 user_group_name=None):
2305 user_group_name=None):
2305 try:
2306 try:
2306 _user_perms = {perm_defs['user_groups'][user_group_name]}
2307 _user_perms = {perm_defs['user_groups'][user_group_name]}
2307 except KeyError:
2308 except KeyError:
2308 log.warning(traceback.format_exc())
2309 log.warning(traceback.format_exc())
2309 return False
2310 return False
2310 if self.required_perms.intersection(_user_perms):
2311 if self.required_perms.intersection(_user_perms):
2311 return True
2312 return True
2312 return False
2313 return False
2313
2314
2314
2315
2315 def check_ip_access(source_ip, allowed_ips=None):
2316 def check_ip_access(source_ip, allowed_ips=None):
2316 """
2317 """
2317 Checks if source_ip is a subnet of any of allowed_ips.
2318 Checks if source_ip is a subnet of any of allowed_ips.
2318
2319
2319 :param source_ip:
2320 :param source_ip:
2320 :param allowed_ips: list of allowed ips together with mask
2321 :param allowed_ips: list of allowed ips together with mask
2321 """
2322 """
2322 log.debug('checking if ip:%s is subnet of %s', source_ip, allowed_ips)
2323 log.debug('checking if ip:%s is subnet of %s', source_ip, allowed_ips)
2323 source_ip_address = ipaddress.ip_address(safe_unicode(source_ip))
2324 source_ip_address = ipaddress.ip_address(safe_unicode(source_ip))
2324 if isinstance(allowed_ips, (tuple, list, set)):
2325 if isinstance(allowed_ips, (tuple, list, set)):
2325 for ip in allowed_ips:
2326 for ip in allowed_ips:
2326 ip = safe_unicode(ip)
2327 ip = safe_unicode(ip)
2327 try:
2328 try:
2328 network_address = ipaddress.ip_network(ip, strict=False)
2329 network_address = ipaddress.ip_network(ip, strict=False)
2329 if source_ip_address in network_address:
2330 if source_ip_address in network_address:
2330 log.debug('IP %s is network %s', source_ip_address, network_address)
2331 log.debug('IP %s is network %s', source_ip_address, network_address)
2331 return True
2332 return True
2332 # for any case we cannot determine the IP, don't crash just
2333 # for any case we cannot determine the IP, don't crash just
2333 # skip it and log as error, we want to say forbidden still when
2334 # skip it and log as error, we want to say forbidden still when
2334 # sending bad IP
2335 # sending bad IP
2335 except Exception:
2336 except Exception:
2336 log.error(traceback.format_exc())
2337 log.error(traceback.format_exc())
2337 continue
2338 continue
2338 return False
2339 return False
2339
2340
2340
2341
2341 def get_cython_compat_decorator(wrapper, func):
2342 def get_cython_compat_decorator(wrapper, func):
2342 """
2343 """
2343 Creates a cython compatible decorator. The previously used
2344 Creates a cython compatible decorator. The previously used
2344 decorator.decorator() function seems to be incompatible with cython.
2345 decorator.decorator() function seems to be incompatible with cython.
2345
2346
2346 :param wrapper: __wrapper method of the decorator class
2347 :param wrapper: __wrapper method of the decorator class
2347 :param func: decorated function
2348 :param func: decorated function
2348 """
2349 """
2349 @wraps(func)
2350 @wraps(func)
2350 def local_wrapper(*args, **kwds):
2351 def local_wrapper(*args, **kwds):
2351 return wrapper(func, *args, **kwds)
2352 return wrapper(func, *args, **kwds)
2352 local_wrapper.__wrapped__ = func
2353 local_wrapper.__wrapped__ = func
2353 return local_wrapper
2354 return local_wrapper
2354
2355
2355
2356
General Comments 0
You need to be logged in to leave comments. Login now