##// END OF EJS Templates
rhodecode-enterprise-ce
RSS
branch permissions: fixed a case of showing branch permissions entries when inheritation model is used....
dan -
r3154:ea307128 default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,2355 +1,2356 b''
1 1 # -*- coding: utf-8 -*-
2 2
3 3 # Copyright (C) 2010-2018 RhodeCode GmbH
4 4 #
5 5 # This program is free software: you can redistribute it and/or modify
6 6 # it under the terms of the GNU Affero General Public License, version 3
7 7 # (only), as published by the Free Software Foundation.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU Affero General Public License
15 15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
16 16 #
17 17 # This program is dual-licensed. If you wish to learn more about the
18 18 # RhodeCode Enterprise Edition, including its added features, Support services,
19 19 # and proprietary license terms, please see https://rhodecode.com/licenses/
20 20
21 21 """
22 22 authentication and permission libraries
23 23 """
24 24
25 25 import os
26 26 import time
27 27 import inspect
28 28 import collections
29 29 import fnmatch
30 30 import hashlib
31 31 import itertools
32 32 import logging
33 33 import random
34 34 import traceback
35 35 from functools import wraps
36 36
37 37 import ipaddress
38 38
39 39 from pyramid.httpexceptions import HTTPForbidden, HTTPFound, HTTPNotFound
40 40 from sqlalchemy.orm.exc import ObjectDeletedError
41 41 from sqlalchemy.orm import joinedload
42 42 from zope.cachedescriptors.property import Lazy as LazyProperty
43 43
44 44 import rhodecode
45 45 from rhodecode.model import meta
46 46 from rhodecode.model.meta import Session
47 47 from rhodecode.model.user import UserModel
48 48 from rhodecode.model.db import (
49 49 User, Repository, Permission, UserToPerm, UserGroupToPerm, UserGroupMember,
50 50 UserIpMap, UserApiKeys, RepoGroup, UserGroup)
51 51 from rhodecode.lib import rc_cache
52 52 from rhodecode.lib.utils2 import safe_unicode, aslist, safe_str, md5, safe_int, sha1
53 53 from rhodecode.lib.utils import (
54 54 get_repo_slug, get_repo_group_slug, get_user_group_slug)
55 55 from rhodecode.lib.caching_query import FromCache
56 56
57 57
58 58 if rhodecode.is_unix:
59 59 import bcrypt
60 60
61 61 log = logging.getLogger(__name__)
62 62
63 63 csrf_token_key = "csrf_token"
64 64
65 65
66 66 class PasswordGenerator(object):
67 67 """
68 68 This is a simple class for generating password from different sets of
69 69 characters
70 70 usage::
71
72 71 passwd_gen = PasswordGenerator()
73 72 #print 8-letter password containing only big and small letters
74 73 of alphabet
75 74 passwd_gen.gen_password(8, passwd_gen.ALPHABETS_BIG_SMALL)
76 75 """
77 76 ALPHABETS_NUM = r'''1234567890'''
78 77 ALPHABETS_SMALL = r'''qwertyuiopasdfghjklzxcvbnm'''
79 78 ALPHABETS_BIG = r'''QWERTYUIOPASDFGHJKLZXCVBNM'''
80 79 ALPHABETS_SPECIAL = r'''`-=[]\;',./~!@#$%^&*()_+{}|:"<>?'''
81 80 ALPHABETS_FULL = ALPHABETS_BIG + ALPHABETS_SMALL \
82 81 + ALPHABETS_NUM + ALPHABETS_SPECIAL
83 82 ALPHABETS_ALPHANUM = ALPHABETS_BIG + ALPHABETS_SMALL + ALPHABETS_NUM
84 83 ALPHABETS_BIG_SMALL = ALPHABETS_BIG + ALPHABETS_SMALL
85 84 ALPHABETS_ALPHANUM_BIG = ALPHABETS_BIG + ALPHABETS_NUM
86 85 ALPHABETS_ALPHANUM_SMALL = ALPHABETS_SMALL + ALPHABETS_NUM
87 86
88 87 def __init__(self, passwd=''):
89 88 self.passwd = passwd
90 89
91 90 def gen_password(self, length, type_=None):
92 91 if type_ is None:
93 92 type_ = self.ALPHABETS_FULL
94 93 self.passwd = ''.join([random.choice(type_) for _ in range(length)])
95 94 return self.passwd
96 95
97 96
98 97 class _RhodeCodeCryptoBase(object):
99 98 ENC_PREF = None
100 99
101 100 def hash_create(self, str_):
102 101 """
103 102 hash the string using
104 103
105 104 :param str_: password to hash
106 105 """
107 106 raise NotImplementedError
108 107
109 108 def hash_check_with_upgrade(self, password, hashed):
110 109 """
111 110 Returns tuple in which first element is boolean that states that
112 111 given password matches it's hashed version, and the second is new hash
113 112 of the password, in case this password should be migrated to new
114 113 cipher.
115 114 """
116 115 checked_hash = self.hash_check(password, hashed)
117 116 return checked_hash, None
118 117
119 118 def hash_check(self, password, hashed):
120 119 """
121 120 Checks matching password with it's hashed value.
122 121
123 122 :param password: password
124 123 :param hashed: password in hashed form
125 124 """
126 125 raise NotImplementedError
127 126
128 127 def _assert_bytes(self, value):
129 128 """
130 129 Passing in an `unicode` object can lead to hard to detect issues
131 130 if passwords contain non-ascii characters. Doing a type check
132 131 during runtime, so that such mistakes are detected early on.
133 132 """
134 133 if not isinstance(value, str):
135 134 raise TypeError(
136 135 "Bytestring required as input, got %r." % (value, ))
137 136
138 137
139 138 class _RhodeCodeCryptoBCrypt(_RhodeCodeCryptoBase):
140 139 ENC_PREF = ('$2a$10', '$2b$10')
141 140
142 141 def hash_create(self, str_):
143 142 self._assert_bytes(str_)
144 143 return bcrypt.hashpw(str_, bcrypt.gensalt(10))
145 144
146 145 def hash_check_with_upgrade(self, password, hashed):
147 146 """
148 147 Returns tuple in which first element is boolean that states that
149 148 given password matches it's hashed version, and the second is new hash
150 149 of the password, in case this password should be migrated to new
151 150 cipher.
152 151
153 152 This implements special upgrade logic which works like that:
154 153 - check if the given password == bcrypted hash, if yes then we
155 154 properly used password and it was already in bcrypt. Proceed
156 155 without any changes
157 156 - if bcrypt hash check is not working try with sha256. If hash compare
158 157 is ok, it means we using correct but old hashed password. indicate
159 158 hash change and proceed
160 159 """
161 160
162 161 new_hash = None
163 162
164 163 # regular pw check
165 164 password_match_bcrypt = self.hash_check(password, hashed)
166 165
167 166 # now we want to know if the password was maybe from sha256
168 167 # basically calling _RhodeCodeCryptoSha256().hash_check()
169 168 if not password_match_bcrypt:
170 169 if _RhodeCodeCryptoSha256().hash_check(password, hashed):
171 170 new_hash = self.hash_create(password) # make new bcrypt hash
172 171 password_match_bcrypt = True
173 172
174 173 return password_match_bcrypt, new_hash
175 174
176 175 def hash_check(self, password, hashed):
177 176 """
178 177 Checks matching password with it's hashed value.
179 178
180 179 :param password: password
181 180 :param hashed: password in hashed form
182 181 """
183 182 self._assert_bytes(password)
184 183 try:
185 184 return bcrypt.hashpw(password, hashed) == hashed
186 185 except ValueError as e:
187 186 # we're having a invalid salt here probably, we should not crash
188 187 # just return with False as it would be a wrong password.
189 188 log.debug('Failed to check password hash using bcrypt %s',
190 189 safe_str(e))
191 190
192 191 return False
193 192
194 193
195 194 class _RhodeCodeCryptoSha256(_RhodeCodeCryptoBase):
196 195 ENC_PREF = '_'
197 196
198 197 def hash_create(self, str_):
199 198 self._assert_bytes(str_)
200 199 return hashlib.sha256(str_).hexdigest()
201 200
202 201 def hash_check(self, password, hashed):
203 202 """
204 203 Checks matching password with it's hashed value.
205 204
206 205 :param password: password
207 206 :param hashed: password in hashed form
208 207 """
209 208 self._assert_bytes(password)
210 209 return hashlib.sha256(password).hexdigest() == hashed
211 210
212 211
213 212 class _RhodeCodeCryptoTest(_RhodeCodeCryptoBase):
214 213 ENC_PREF = '_'
215 214
216 215 def hash_create(self, str_):
217 216 self._assert_bytes(str_)
218 217 return sha1(str_)
219 218
220 219 def hash_check(self, password, hashed):
221 220 """
222 221 Checks matching password with it's hashed value.
223 222
224 223 :param password: password
225 224 :param hashed: password in hashed form
226 225 """
227 226 self._assert_bytes(password)
228 227 return sha1(password) == hashed
229 228
230 229
231 230 def crypto_backend():
232 231 """
233 232 Return the matching crypto backend.
234 233
235 234 Selection is based on if we run tests or not, we pick sha1-test backend to run
236 235 tests faster since BCRYPT is expensive to calculate
237 236 """
238 237 if rhodecode.is_test:
239 238 RhodeCodeCrypto = _RhodeCodeCryptoTest()
240 239 else:
241 240 RhodeCodeCrypto = _RhodeCodeCryptoBCrypt()
242 241
243 242 return RhodeCodeCrypto
244 243
245 244
246 245 def get_crypt_password(password):
247 246 """
248 247 Create the hash of `password` with the active crypto backend.
249 248
250 249 :param password: The cleartext password.
251 250 :type password: unicode
252 251 """
253 252 password = safe_str(password)
254 253 return crypto_backend().hash_create(password)
255 254
256 255
257 256 def check_password(password, hashed):
258 257 """
259 258 Check if the value in `password` matches the hash in `hashed`.
260 259
261 260 :param password: The cleartext password.
262 261 :type password: unicode
263 262
264 263 :param hashed: The expected hashed version of the password.
265 264 :type hashed: The hash has to be passed in in text representation.
266 265 """
267 266 password = safe_str(password)
268 267 return crypto_backend().hash_check(password, hashed)
269 268
270 269
271 270 def generate_auth_token(data, salt=None):
272 271 """
273 272 Generates API KEY from given string
274 273 """
275 274
276 275 if salt is None:
277 276 salt = os.urandom(16)
278 277 return hashlib.sha1(safe_str(data) + salt).hexdigest()
279 278
280 279
281 280 def get_came_from(request):
282 281 """
283 282 get query_string+path from request sanitized after removing auth_token
284 283 """
285 284 _req = request
286 285
287 286 path = _req.path
288 287 if 'auth_token' in _req.GET:
289 288 # sanitize the request and remove auth_token for redirection
290 289 _req.GET.pop('auth_token')
291 290 qs = _req.query_string
292 291 if qs:
293 292 path += '?' + qs
294 293
295 294 return path
296 295
297 296
298 297 class CookieStoreWrapper(object):
299 298
300 299 def __init__(self, cookie_store):
301 300 self.cookie_store = cookie_store
302 301
303 302 def __repr__(self):
304 303 return 'CookieStore<%s>' % (self.cookie_store)
305 304
306 305 def get(self, key, other=None):
307 306 if isinstance(self.cookie_store, dict):
308 307 return self.cookie_store.get(key, other)
309 308 elif isinstance(self.cookie_store, AuthUser):
310 309 return self.cookie_store.__dict__.get(key, other)
311 310
312 311
313 312 def _cached_perms_data(user_id, scope, user_is_admin,
314 313 user_inherit_default_permissions, explicit, algo,
315 314 calculate_super_admin):
316 315
317 316 permissions = PermissionCalculator(
318 317 user_id, scope, user_is_admin, user_inherit_default_permissions,
319 318 explicit, algo, calculate_super_admin)
320 319 return permissions.calculate()
321 320
322 321
323 322 class PermOrigin(object):
324 323 SUPER_ADMIN = 'superadmin'
325 324 ARCHIVED = 'archived'
326 325
327 326 REPO_USER = 'user:%s'
328 327 REPO_USERGROUP = 'usergroup:%s'
329 328 REPO_OWNER = 'repo.owner'
330 329 REPO_DEFAULT = 'repo.default'
331 330 REPO_DEFAULT_NO_INHERIT = 'repo.default.no.inherit'
332 331 REPO_PRIVATE = 'repo.private'
333 332
334 333 REPOGROUP_USER = 'user:%s'
335 334 REPOGROUP_USERGROUP = 'usergroup:%s'
336 335 REPOGROUP_OWNER = 'group.owner'
337 336 REPOGROUP_DEFAULT = 'group.default'
338 337 REPOGROUP_DEFAULT_NO_INHERIT = 'group.default.no.inherit'
339 338
340 339 USERGROUP_USER = 'user:%s'
341 340 USERGROUP_USERGROUP = 'usergroup:%s'
342 341 USERGROUP_OWNER = 'usergroup.owner'
343 342 USERGROUP_DEFAULT = 'usergroup.default'
344 343 USERGROUP_DEFAULT_NO_INHERIT = 'usergroup.default.no.inherit'
345 344
346 345
347 346 class PermOriginDict(dict):
348 347 """
349 348 A special dict used for tracking permissions along with their origins.
350 349
351 350 `__setitem__` has been overridden to expect a tuple(perm, origin)
352 351 `__getitem__` will return only the perm
353 352 `.perm_origin_stack` will return the stack of (perm, origin) set per key
354 353
355 354 >>> perms = PermOriginDict()
356 355 >>> perms['resource'] = 'read', 'default'
357 356 >>> perms['resource']
358 357 'read'
359 358 >>> perms['resource'] = 'write', 'admin'
360 359 >>> perms['resource']
361 360 'write'
362 361 >>> perms.perm_origin_stack
363 362 {'resource': [('read', 'default'), ('write', 'admin')]}
364 363 """
365 364
366 365 def __init__(self, *args, **kw):
367 366 dict.__init__(self, *args, **kw)
368 367 self.perm_origin_stack = collections.OrderedDict()
369 368
370 369 def __setitem__(self, key, (perm, origin)):
371 370 self.perm_origin_stack.setdefault(key, []).append(
372 371 (perm, origin))
373 372 dict.__setitem__(self, key, perm)
374 373
375 374
376 375 class BranchPermOriginDict(PermOriginDict):
377 376 """
378 377 Dedicated branch permissions dict, with tracking of patterns and origins.
379 378
380 379 >>> perms = BranchPermOriginDict()
381 380 >>> perms['resource'] = '*pattern', 'read', 'default'
382 381 >>> perms['resource']
383 382 {'*pattern': 'read'}
384 383 >>> perms['resource'] = '*pattern', 'write', 'admin'
385 384 >>> perms['resource']
386 385 {'*pattern': 'write'}
387 386 >>> perms.perm_origin_stack
388 387 {'resource': {'*pattern': [('read', 'default'), ('write', 'admin')]}}
389 388 """
390 389 def __setitem__(self, key, (pattern, perm, origin)):
391 390
392 391 self.perm_origin_stack.setdefault(key, {}) \
393 392 .setdefault(pattern, []).append((perm, origin))
394 393
395 394 if key in self:
396 395 self[key].__setitem__(pattern, perm)
397 396 else:
398 397 patterns = collections.OrderedDict()
399 398 patterns[pattern] = perm
400 399 dict.__setitem__(self, key, patterns)
401 400
402 401
403 402 class PermissionCalculator(object):
404 403
405 404 def __init__(
406 405 self, user_id, scope, user_is_admin,
407 406 user_inherit_default_permissions, explicit, algo,
408 407 calculate_super_admin_as_user=False):
409 408
410 409 self.user_id = user_id
411 410 self.user_is_admin = user_is_admin
412 411 self.inherit_default_permissions = user_inherit_default_permissions
413 412 self.explicit = explicit
414 413 self.algo = algo
415 414 self.calculate_super_admin_as_user = calculate_super_admin_as_user
416 415
417 416 scope = scope or {}
418 417 self.scope_repo_id = scope.get('repo_id')
419 418 self.scope_repo_group_id = scope.get('repo_group_id')
420 419 self.scope_user_group_id = scope.get('user_group_id')
421 420
422 421 self.default_user_id = User.get_default_user(cache=True).user_id
423 422
424 423 self.permissions_repositories = PermOriginDict()
425 424 self.permissions_repository_groups = PermOriginDict()
426 425 self.permissions_user_groups = PermOriginDict()
427 426 self.permissions_repository_branches = BranchPermOriginDict()
428 427 self.permissions_global = set()
429 428
430 429 self.default_repo_perms = Permission.get_default_repo_perms(
431 430 self.default_user_id, self.scope_repo_id)
432 431 self.default_repo_groups_perms = Permission.get_default_group_perms(
433 432 self.default_user_id, self.scope_repo_group_id)
434 433 self.default_user_group_perms = \
435 434 Permission.get_default_user_group_perms(
436 435 self.default_user_id, self.scope_user_group_id)
437 436
438 437 # default branch perms
439 438 self.default_branch_repo_perms = \
440 439 Permission.get_default_repo_branch_perms(
441 440 self.default_user_id, self.scope_repo_id)
442 441
443 442 def calculate(self):
444 443 if self.user_is_admin and not self.calculate_super_admin_as_user:
445 444 return self._calculate_admin_permissions()
446 445
447 446 self._calculate_global_default_permissions()
448 447 self._calculate_global_permissions()
449 448 self._calculate_default_permissions()
450 449 self._calculate_repository_permissions()
451 450 self._calculate_repository_branch_permissions()
452 451 self._calculate_repository_group_permissions()
453 452 self._calculate_user_group_permissions()
454 453 return self._permission_structure()
455 454
456 455 def _calculate_admin_permissions(self):
457 456 """
458 457 admin user have all default rights for repositories
459 458 and groups set to admin
460 459 """
461 460 self.permissions_global.add('hg.admin')
462 461 self.permissions_global.add('hg.create.write_on_repogroup.true')
463 462
464 463 # repositories
465 464 for perm in self.default_repo_perms:
466 465 r_k = perm.UserRepoToPerm.repository.repo_name
467 466 archived = perm.UserRepoToPerm.repository.archived
468 467 p = 'repository.admin'
469 468 self.permissions_repositories[r_k] = p, PermOrigin.SUPER_ADMIN
470 469 # special case for archived repositories, which we block still even for
471 470 # super admins
472 471 if archived:
473 472 p = 'repository.read'
474 473 self.permissions_repositories[r_k] = p, PermOrigin.ARCHIVED
475 474
476 475 # repository groups
477 476 for perm in self.default_repo_groups_perms:
478 477 rg_k = perm.UserRepoGroupToPerm.group.group_name
479 478 p = 'group.admin'
480 479 self.permissions_repository_groups[rg_k] = p, PermOrigin.SUPER_ADMIN
481 480
482 481 # user groups
483 482 for perm in self.default_user_group_perms:
484 483 u_k = perm.UserUserGroupToPerm.user_group.users_group_name
485 484 p = 'usergroup.admin'
486 485 self.permissions_user_groups[u_k] = p, PermOrigin.SUPER_ADMIN
487 486
488 487 # branch permissions
489 488 # since super-admin also can have custom rule permissions
490 489 # we *always* need to calculate those inherited from default, and also explicit
491 490 self._calculate_default_permissions_repository_branches(
492 491 user_inherit_object_permissions=False)
493 492 self._calculate_repository_branch_permissions()
494 493
495 494 return self._permission_structure()
496 495
497 496 def _calculate_global_default_permissions(self):
498 497 """
499 498 global permissions taken from the default user
500 499 """
501 500 default_global_perms = UserToPerm.query()\
502 501 .filter(UserToPerm.user_id == self.default_user_id)\
503 502 .options(joinedload(UserToPerm.permission))
504 503
505 504 for perm in default_global_perms:
506 505 self.permissions_global.add(perm.permission.permission_name)
507 506
508 507 if self.user_is_admin:
509 508 self.permissions_global.add('hg.admin')
510 509 self.permissions_global.add('hg.create.write_on_repogroup.true')
511 510
512 511 def _calculate_global_permissions(self):
513 512 """
514 513 Set global system permissions with user permissions or permissions
515 514 taken from the user groups of the current user.
516 515
517 516 The permissions include repo creating, repo group creating, forking
518 517 etc.
519 518 """
520 519
521 520 # now we read the defined permissions and overwrite what we have set
522 521 # before those can be configured from groups or users explicitly.
523 522
524 523 # In case we want to extend this list we should make sure
525 524 # this is in sync with User.DEFAULT_USER_PERMISSIONS definitions
526 525 _configurable = frozenset([
527 526 'hg.fork.none', 'hg.fork.repository',
528 527 'hg.create.none', 'hg.create.repository',
529 528 'hg.usergroup.create.false', 'hg.usergroup.create.true',
530 529 'hg.repogroup.create.false', 'hg.repogroup.create.true',
531 530 'hg.create.write_on_repogroup.false', 'hg.create.write_on_repogroup.true',
532 531 'hg.inherit_default_perms.false', 'hg.inherit_default_perms.true'
533 532 ])
534 533
535 534 # USER GROUPS comes first user group global permissions
536 535 user_perms_from_users_groups = Session().query(UserGroupToPerm)\
537 536 .options(joinedload(UserGroupToPerm.permission))\
538 537 .join((UserGroupMember, UserGroupToPerm.users_group_id ==
539 538 UserGroupMember.users_group_id))\
540 539 .filter(UserGroupMember.user_id == self.user_id)\
541 540 .order_by(UserGroupToPerm.users_group_id)\
542 541 .all()
543 542
544 543 # need to group here by groups since user can be in more than
545 544 # one group, so we get all groups
546 545 _explicit_grouped_perms = [
547 546 [x, list(y)] for x, y in
548 547 itertools.groupby(user_perms_from_users_groups,
549 548 lambda _x: _x.users_group)]
550 549
551 550 for gr, perms in _explicit_grouped_perms:
552 551 # since user can be in multiple groups iterate over them and
553 552 # select the lowest permissions first (more explicit)
554 553 # TODO(marcink): do this^^
555 554
556 555 # group doesn't inherit default permissions so we actually set them
557 556 if not gr.inherit_default_permissions:
558 557 # NEED TO IGNORE all previously set configurable permissions
559 558 # and replace them with explicitly set from this user
560 559 # group permissions
561 560 self.permissions_global = self.permissions_global.difference(
562 561 _configurable)
563 562 for perm in perms:
564 563 self.permissions_global.add(perm.permission.permission_name)
565 564
566 565 # user explicit global permissions
567 566 user_perms = Session().query(UserToPerm)\
568 567 .options(joinedload(UserToPerm.permission))\
569 568 .filter(UserToPerm.user_id == self.user_id).all()
570 569
571 570 if not self.inherit_default_permissions:
572 571 # NEED TO IGNORE all configurable permissions and
573 572 # replace them with explicitly set from this user permissions
574 573 self.permissions_global = self.permissions_global.difference(
575 574 _configurable)
576 575 for perm in user_perms:
577 576 self.permissions_global.add(perm.permission.permission_name)
578 577
579 578 def _calculate_default_permissions_repositories(self, user_inherit_object_permissions):
580 579 for perm in self.default_repo_perms:
581 580 r_k = perm.UserRepoToPerm.repository.repo_name
582 581 archived = perm.UserRepoToPerm.repository.archived
583 582 p = perm.Permission.permission_name
584 583 o = PermOrigin.REPO_DEFAULT
585 584 self.permissions_repositories[r_k] = p, o
586 585
587 586 # if we decide this user isn't inheriting permissions from
588 587 # default user we set him to .none so only explicit
589 588 # permissions work
590 589 if not user_inherit_object_permissions:
591 590 p = 'repository.none'
592 591 o = PermOrigin.REPO_DEFAULT_NO_INHERIT
593 592 self.permissions_repositories[r_k] = p, o
594 593
595 594 if perm.Repository.private and not (
596 595 perm.Repository.user_id == self.user_id):
597 596 # disable defaults for private repos,
598 597 p = 'repository.none'
599 598 o = PermOrigin.REPO_PRIVATE
600 599 self.permissions_repositories[r_k] = p, o
601 600
602 601 elif perm.Repository.user_id == self.user_id:
603 602 # set admin if owner
604 603 p = 'repository.admin'
605 604 o = PermOrigin.REPO_OWNER
606 605 self.permissions_repositories[r_k] = p, o
607 606
608 607 if self.user_is_admin:
609 608 p = 'repository.admin'
610 609 o = PermOrigin.SUPER_ADMIN
611 610 self.permissions_repositories[r_k] = p, o
612 611
613 612 # finally in case of archived repositories, we downgrade higher
614 613 # permissions to read
615 614 if archived:
616 615 current_perm = self.permissions_repositories[r_k]
617 616 if current_perm in ['repository.write', 'repository.admin']:
618 617 p = 'repository.read'
619 618 o = PermOrigin.ARCHIVED
620 619 self.permissions_repositories[r_k] = p, o
621 620
622 621 def _calculate_default_permissions_repository_branches(self, user_inherit_object_permissions):
623 622 for perm in self.default_branch_repo_perms:
624 623
625 624 r_k = perm.UserRepoToPerm.repository.repo_name
626 625 p = perm.Permission.permission_name
627 626 pattern = perm.UserToRepoBranchPermission.branch_pattern
628 627 o = PermOrigin.REPO_USER % perm.UserRepoToPerm.user.username
629 628
630 629 if not self.explicit:
631 # TODO(marcink): fix this for multiple entries
632 cur_perm = self.permissions_repository_branches.get(r_k) or 'branch.none'
630 cur_perm = self.permissions_repository_branches.get(r_k)
631 if cur_perm:
632 cur_perm = cur_perm[pattern]
633 cur_perm = cur_perm or 'branch.none'
634
633 635 p = self._choose_permission(p, cur_perm)
634 636
635 637 # NOTE(marcink): register all pattern/perm instances in this
636 638 # special dict that aggregates entries
637 639 self.permissions_repository_branches[r_k] = pattern, p, o
638 640
639 641 def _calculate_default_permissions_repository_groups(self, user_inherit_object_permissions):
640 642 for perm in self.default_repo_groups_perms:
641 643 rg_k = perm.UserRepoGroupToPerm.group.group_name
642 644 p = perm.Permission.permission_name
643 645 o = PermOrigin.REPOGROUP_DEFAULT
644 646 self.permissions_repository_groups[rg_k] = p, o
645 647
646 648 # if we decide this user isn't inheriting permissions from default
647 649 # user we set him to .none so only explicit permissions work
648 650 if not user_inherit_object_permissions:
649 651 p = 'group.none'
650 652 o = PermOrigin.REPOGROUP_DEFAULT_NO_INHERIT
651 653 self.permissions_repository_groups[rg_k] = p, o
652 654
653 655 if perm.RepoGroup.user_id == self.user_id:
654 656 # set admin if owner
655 657 p = 'group.admin'
656 658 o = PermOrigin.REPOGROUP_OWNER
657 659 self.permissions_repository_groups[rg_k] = p, o
658 660
659 661 if self.user_is_admin:
660 662 p = 'group.admin'
661 663 o = PermOrigin.SUPER_ADMIN
662 664 self.permissions_repository_groups[rg_k] = p, o
663 665
664 666 def _calculate_default_permissions_user_groups(self, user_inherit_object_permissions):
665 667 for perm in self.default_user_group_perms:
666 668 u_k = perm.UserUserGroupToPerm.user_group.users_group_name
667 669 p = perm.Permission.permission_name
668 670 o = PermOrigin.USERGROUP_DEFAULT
669 671 self.permissions_user_groups[u_k] = p, o
670 672
671 673 # if we decide this user isn't inheriting permissions from default
672 674 # user we set him to .none so only explicit permissions work
673 675 if not user_inherit_object_permissions:
674 676 p = 'usergroup.none'
675 677 o = PermOrigin.USERGROUP_DEFAULT_NO_INHERIT
676 678 self.permissions_user_groups[u_k] = p, o
677 679
678 680 if perm.UserGroup.user_id == self.user_id:
679 681 # set admin if owner
680 682 p = 'usergroup.admin'
681 683 o = PermOrigin.USERGROUP_OWNER
682 684 self.permissions_user_groups[u_k] = p, o
683 685
684 686 if self.user_is_admin:
685 687 p = 'usergroup.admin'
686 688 o = PermOrigin.SUPER_ADMIN
687 689 self.permissions_user_groups[u_k] = p, o
688 690
689 691 def _calculate_default_permissions(self):
690 692 """
691 693 Set default user permissions for repositories, repository branches,
692 694 repository groups, user groups taken from the default user.
693 695
694 696 Calculate inheritance of object permissions based on what we have now
695 697 in GLOBAL permissions. We check if .false is in GLOBAL since this is
696 698 explicitly set. Inherit is the opposite of .false being there.
697 699
698 700 .. note::
699 701
700 702 the syntax is little bit odd but what we need to check here is
701 703 the opposite of .false permission being in the list so even for
702 704 inconsistent state when both .true/.false is there
703 705 .false is more important
704 706
705 707 """
706 708 user_inherit_object_permissions = not ('hg.inherit_default_perms.false'
707 709 in self.permissions_global)
708 710
709 711 # default permissions inherited from `default` user permissions
710 712 self._calculate_default_permissions_repositories(
711 713 user_inherit_object_permissions)
712 714
713 715 self._calculate_default_permissions_repository_branches(
714 716 user_inherit_object_permissions)
715 717
716 718 self._calculate_default_permissions_repository_groups(
717 719 user_inherit_object_permissions)
718 720
719 721 self._calculate_default_permissions_user_groups(
720 722 user_inherit_object_permissions)
721 723
722 724 def _calculate_repository_permissions(self):
723 725 """
724 726 Repository permissions for the current user.
725 727
726 728 Check if the user is part of user groups for this repository and
727 729 fill in the permission from it. `_choose_permission` decides of which
728 730 permission should be selected based on selected method.
729 731 """
730 732
731 733 # user group for repositories permissions
732 734 user_repo_perms_from_user_group = Permission\
733 735 .get_default_repo_perms_from_user_group(
734 736 self.user_id, self.scope_repo_id)
735 737
736 738 multiple_counter = collections.defaultdict(int)
737 739 for perm in user_repo_perms_from_user_group:
738 740 r_k = perm.UserGroupRepoToPerm.repository.repo_name
739 741 multiple_counter[r_k] += 1
740 742 p = perm.Permission.permission_name
741 743 o = PermOrigin.REPO_USERGROUP % perm.UserGroupRepoToPerm\
742 744 .users_group.users_group_name
743 745
744 746 if multiple_counter[r_k] > 1:
745 747 cur_perm = self.permissions_repositories[r_k]
746 748 p = self._choose_permission(p, cur_perm)
747 749
748 750 self.permissions_repositories[r_k] = p, o
749 751
750 752 if perm.Repository.user_id == self.user_id:
751 753 # set admin if owner
752 754 p = 'repository.admin'
753 755 o = PermOrigin.REPO_OWNER
754 756 self.permissions_repositories[r_k] = p, o
755 757
756 758 if self.user_is_admin:
757 759 p = 'repository.admin'
758 760 o = PermOrigin.SUPER_ADMIN
759 761 self.permissions_repositories[r_k] = p, o
760 762
761 763 # user explicit permissions for repositories, overrides any specified
762 764 # by the group permission
763 765 user_repo_perms = Permission.get_default_repo_perms(
764 766 self.user_id, self.scope_repo_id)
765 767 for perm in user_repo_perms:
766 768 r_k = perm.UserRepoToPerm.repository.repo_name
767 769 p = perm.Permission.permission_name
768 770 o = PermOrigin.REPO_USER % perm.UserRepoToPerm.user.username
769 771
770 772 if not self.explicit:
771 773 cur_perm = self.permissions_repositories.get(
772 774 r_k, 'repository.none')
773 775 p = self._choose_permission(p, cur_perm)
774 776
775 777 self.permissions_repositories[r_k] = p, o
776 778
777 779 if perm.Repository.user_id == self.user_id:
778 780 # set admin if owner
779 781 p = 'repository.admin'
780 782 o = PermOrigin.REPO_OWNER
781 783 self.permissions_repositories[r_k] = p, o
782 784
783 785 if self.user_is_admin:
784 786 p = 'repository.admin'
785 787 o = PermOrigin.SUPER_ADMIN
786 788 self.permissions_repositories[r_k] = p, o
787 789
788 790 def _calculate_repository_branch_permissions(self):
789 791 # user group for repositories permissions
790 792 user_repo_branch_perms_from_user_group = Permission\
791 793 .get_default_repo_branch_perms_from_user_group(
792 794 self.user_id, self.scope_repo_id)
793 795
794 796 multiple_counter = collections.defaultdict(int)
795 797 for perm in user_repo_branch_perms_from_user_group:
796 798 r_k = perm.UserGroupRepoToPerm.repository.repo_name
797 799 p = perm.Permission.permission_name
798 800 pattern = perm.UserGroupToRepoBranchPermission.branch_pattern
799 801 o = PermOrigin.REPO_USERGROUP % perm.UserGroupRepoToPerm\
800 802 .users_group.users_group_name
801 803
802 804 multiple_counter[r_k] += 1
803 805 if multiple_counter[r_k] > 1:
804 # TODO(marcink): fix this for multi branch support, and multiple entries
805 cur_perm = self.permissions_repository_branches[r_k]
806 cur_perm = self.permissions_repository_branches[r_k][pattern]
806 807 p = self._choose_permission(p, cur_perm)
807 808
808 809 self.permissions_repository_branches[r_k] = pattern, p, o
809 810
810 811 # user explicit branch permissions for repositories, overrides
811 812 # any specified by the group permission
812 813 user_repo_branch_perms = Permission.get_default_repo_branch_perms(
813 814 self.user_id, self.scope_repo_id)
814 815
815 816 for perm in user_repo_branch_perms:
816 817
817 818 r_k = perm.UserRepoToPerm.repository.repo_name
818 819 p = perm.Permission.permission_name
819 820 pattern = perm.UserToRepoBranchPermission.branch_pattern
820 821 o = PermOrigin.REPO_USER % perm.UserRepoToPerm.user.username
821 822
822 823 if not self.explicit:
823 # TODO(marcink): fix this for multiple entries
824 cur_perm = self.permissions_repository_branches.get(r_k) or 'branch.none'
824 cur_perm = self.permissions_repository_branches.get(r_k)
825 if cur_perm:
826 cur_perm = cur_perm[pattern]
827 cur_perm = cur_perm or 'branch.none'
825 828 p = self._choose_permission(p, cur_perm)
826 829
827 830 # NOTE(marcink): register all pattern/perm instances in this
828 831 # special dict that aggregates entries
829 832 self.permissions_repository_branches[r_k] = pattern, p, o
830 833
831 834 def _calculate_repository_group_permissions(self):
832 835 """
833 836 Repository group permissions for the current user.
834 837
835 838 Check if the user is part of user groups for repository groups and
836 839 fill in the permissions from it. `_choose_permission` decides of which
837 840 permission should be selected based on selected method.
838 841 """
839 842 # user group for repo groups permissions
840 843 user_repo_group_perms_from_user_group = Permission\
841 844 .get_default_group_perms_from_user_group(
842 845 self.user_id, self.scope_repo_group_id)
843 846
844 847 multiple_counter = collections.defaultdict(int)
845 848 for perm in user_repo_group_perms_from_user_group:
846 849 rg_k = perm.UserGroupRepoGroupToPerm.group.group_name
847 850 multiple_counter[rg_k] += 1
848 851 o = PermOrigin.REPOGROUP_USERGROUP % perm.UserGroupRepoGroupToPerm\
849 852 .users_group.users_group_name
850 853 p = perm.Permission.permission_name
851 854
852 855 if multiple_counter[rg_k] > 1:
853 856 cur_perm = self.permissions_repository_groups[rg_k]
854 857 p = self._choose_permission(p, cur_perm)
855 858 self.permissions_repository_groups[rg_k] = p, o
856 859
857 860 if perm.RepoGroup.user_id == self.user_id:
858 861 # set admin if owner, even for member of other user group
859 862 p = 'group.admin'
860 863 o = PermOrigin.REPOGROUP_OWNER
861 864 self.permissions_repository_groups[rg_k] = p, o
862 865
863 866 if self.user_is_admin:
864 867 p = 'group.admin'
865 868 o = PermOrigin.SUPER_ADMIN
866 869 self.permissions_repository_groups[rg_k] = p, o
867 870
868 871 # user explicit permissions for repository groups
869 872 user_repo_groups_perms = Permission.get_default_group_perms(
870 873 self.user_id, self.scope_repo_group_id)
871 874 for perm in user_repo_groups_perms:
872 875 rg_k = perm.UserRepoGroupToPerm.group.group_name
873 876 o = PermOrigin.REPOGROUP_USER % perm.UserRepoGroupToPerm\
874 877 .user.username
875 878 p = perm.Permission.permission_name
876 879
877 880 if not self.explicit:
878 cur_perm = self.permissions_repository_groups.get(
879 rg_k, 'group.none')
881 cur_perm = self.permissions_repository_groups.get(rg_k, 'group.none')
880 882 p = self._choose_permission(p, cur_perm)
881 883
882 884 self.permissions_repository_groups[rg_k] = p, o
883 885
884 886 if perm.RepoGroup.user_id == self.user_id:
885 887 # set admin if owner
886 888 p = 'group.admin'
887 889 o = PermOrigin.REPOGROUP_OWNER
888 890 self.permissions_repository_groups[rg_k] = p, o
889 891
890 892 if self.user_is_admin:
891 893 p = 'group.admin'
892 894 o = PermOrigin.SUPER_ADMIN
893 895 self.permissions_repository_groups[rg_k] = p, o
894 896
895 897 def _calculate_user_group_permissions(self):
896 898 """
897 899 User group permissions for the current user.
898 900 """
899 901 # user group for user group permissions
900 902 user_group_from_user_group = Permission\
901 903 .get_default_user_group_perms_from_user_group(
902 904 self.user_id, self.scope_user_group_id)
903 905
904 906 multiple_counter = collections.defaultdict(int)
905 907 for perm in user_group_from_user_group:
906 908 ug_k = perm.UserGroupUserGroupToPerm\
907 909 .target_user_group.users_group_name
908 910 multiple_counter[ug_k] += 1
909 911 o = PermOrigin.USERGROUP_USERGROUP % perm.UserGroupUserGroupToPerm\
910 912 .user_group.users_group_name
911 913 p = perm.Permission.permission_name
912 914
913 915 if multiple_counter[ug_k] > 1:
914 916 cur_perm = self.permissions_user_groups[ug_k]
915 917 p = self._choose_permission(p, cur_perm)
916 918
917 919 self.permissions_user_groups[ug_k] = p, o
918 920
919 921 if perm.UserGroup.user_id == self.user_id:
920 922 # set admin if owner, even for member of other user group
921 923 p = 'usergroup.admin'
922 924 o = PermOrigin.USERGROUP_OWNER
923 925 self.permissions_user_groups[ug_k] = p, o
924 926
925 927 if self.user_is_admin:
926 928 p = 'usergroup.admin'
927 929 o = PermOrigin.SUPER_ADMIN
928 930 self.permissions_user_groups[ug_k] = p, o
929 931
930 932 # user explicit permission for user groups
931 933 user_user_groups_perms = Permission.get_default_user_group_perms(
932 934 self.user_id, self.scope_user_group_id)
933 935 for perm in user_user_groups_perms:
934 936 ug_k = perm.UserUserGroupToPerm.user_group.users_group_name
935 937 o = PermOrigin.USERGROUP_USER % perm.UserUserGroupToPerm\
936 938 .user.username
937 939 p = perm.Permission.permission_name
938 940
939 941 if not self.explicit:
940 cur_perm = self.permissions_user_groups.get(
941 ug_k, 'usergroup.none')
942 cur_perm = self.permissions_user_groups.get(ug_k, 'usergroup.none')
942 943 p = self._choose_permission(p, cur_perm)
943 944
944 945 self.permissions_user_groups[ug_k] = p, o
945 946
946 947 if perm.UserGroup.user_id == self.user_id:
947 948 # set admin if owner
948 949 p = 'usergroup.admin'
949 950 o = PermOrigin.USERGROUP_OWNER
950 951 self.permissions_user_groups[ug_k] = p, o
951 952
952 953 if self.user_is_admin:
953 954 p = 'usergroup.admin'
954 955 o = PermOrigin.SUPER_ADMIN
955 956 self.permissions_user_groups[ug_k] = p, o
956 957
957 958 def _choose_permission(self, new_perm, cur_perm):
958 959 new_perm_val = Permission.PERM_WEIGHTS[new_perm]
959 960 cur_perm_val = Permission.PERM_WEIGHTS[cur_perm]
960 961 if self.algo == 'higherwin':
961 962 if new_perm_val > cur_perm_val:
962 963 return new_perm
963 964 return cur_perm
964 965 elif self.algo == 'lowerwin':
965 966 if new_perm_val < cur_perm_val:
966 967 return new_perm
967 968 return cur_perm
968 969
969 970 def _permission_structure(self):
970 971 return {
971 972 'global': self.permissions_global,
972 973 'repositories': self.permissions_repositories,
973 974 'repository_branches': self.permissions_repository_branches,
974 975 'repositories_groups': self.permissions_repository_groups,
975 976 'user_groups': self.permissions_user_groups,
976 977 }
977 978
978 979
979 980 def allowed_auth_token_access(view_name, auth_token, whitelist=None):
980 981 """
981 982 Check if given controller_name is in whitelist of auth token access
982 983 """
983 984 if not whitelist:
984 985 from rhodecode import CONFIG
985 986 whitelist = aslist(
986 987 CONFIG.get('api_access_controllers_whitelist'), sep=',')
987 988 # backward compat translation
988 989 compat = {
989 990 # old controller, new VIEW
990 991 'ChangesetController:*': 'RepoCommitsView:*',
991 992 'ChangesetController:changeset_patch': 'RepoCommitsView:repo_commit_patch',
992 993 'ChangesetController:changeset_raw': 'RepoCommitsView:repo_commit_raw',
993 994 'FilesController:raw': 'RepoCommitsView:repo_commit_raw',
994 995 'FilesController:archivefile': 'RepoFilesView:repo_archivefile',
995 996 'GistsController:*': 'GistView:*',
996 997 }
997 998
998 999 log.debug(
999 1000 'Allowed views for AUTH TOKEN access: %s', whitelist)
1000 1001 auth_token_access_valid = False
1001 1002
1002 1003 for entry in whitelist:
1003 1004 token_match = True
1004 1005 if entry in compat:
1005 1006 # translate from old Controllers to Pyramid Views
1006 1007 entry = compat[entry]
1007 1008
1008 1009 if '@' in entry:
1009 1010 # specific AuthToken
1010 1011 entry, allowed_token = entry.split('@', 1)
1011 1012 token_match = auth_token == allowed_token
1012 1013
1013 1014 if fnmatch.fnmatch(view_name, entry) and token_match:
1014 1015 auth_token_access_valid = True
1015 1016 break
1016 1017
1017 1018 if auth_token_access_valid:
1018 1019 log.debug('view: `%s` matches entry in whitelist: %s',
1019 1020 view_name, whitelist)
1020 1021
1021 1022 else:
1022 1023 msg = ('view: `%s` does *NOT* match any entry in whitelist: %s'
1023 1024 % (view_name, whitelist))
1024 1025 if auth_token:
1025 1026 # if we use auth token key and don't have access it's a warning
1026 1027 log.warning(msg)
1027 1028 else:
1028 1029 log.debug(msg)
1029 1030
1030 1031 return auth_token_access_valid
1031 1032
1032 1033
1033 1034 class AuthUser(object):
1034 1035 """
1035 1036 A simple object that handles all attributes of user in RhodeCode
1036 1037
1037 1038 It does lookup based on API key,given user, or user present in session
1038 1039 Then it fills all required information for such user. It also checks if
1039 1040 anonymous access is enabled and if so, it returns default user as logged in
1040 1041 """
1041 1042 GLOBAL_PERMS = [x[0] for x in Permission.PERMS]
1042 1043
1043 1044 def __init__(self, user_id=None, api_key=None, username=None, ip_addr=None):
1044 1045
1045 1046 self.user_id = user_id
1046 1047 self._api_key = api_key
1047 1048
1048 1049 self.api_key = None
1049 1050 self.username = username
1050 1051 self.ip_addr = ip_addr
1051 1052 self.name = ''
1052 1053 self.lastname = ''
1053 1054 self.first_name = ''
1054 1055 self.last_name = ''
1055 1056 self.email = ''
1056 1057 self.is_authenticated = False
1057 1058 self.admin = False
1058 1059 self.inherit_default_permissions = False
1059 1060 self.password = ''
1060 1061
1061 1062 self.anonymous_user = None # propagated on propagate_data
1062 1063 self.propagate_data()
1063 1064 self._instance = None
1064 1065 self._permissions_scoped_cache = {} # used to bind scoped calculation
1065 1066
1066 1067 @LazyProperty
1067 1068 def permissions(self):
1068 1069 return self.get_perms(user=self, cache=None)
1069 1070
1070 1071 @LazyProperty
1071 1072 def permissions_safe(self):
1072 1073 """
1073 1074 Filtered permissions excluding not allowed repositories
1074 1075 """
1075 1076 perms = self.get_perms(user=self, cache=None)
1076 1077
1077 1078 perms['repositories'] = {
1078 1079 k: v for k, v in perms['repositories'].items()
1079 1080 if v != 'repository.none'}
1080 1081 perms['repositories_groups'] = {
1081 1082 k: v for k, v in perms['repositories_groups'].items()
1082 1083 if v != 'group.none'}
1083 1084 perms['user_groups'] = {
1084 1085 k: v for k, v in perms['user_groups'].items()
1085 1086 if v != 'usergroup.none'}
1086 1087 perms['repository_branches'] = {
1087 1088 k: v for k, v in perms['repository_branches'].iteritems()
1088 1089 if v != 'branch.none'}
1089 1090 return perms
1090 1091
1091 1092 @LazyProperty
1092 1093 def permissions_full_details(self):
1093 1094 return self.get_perms(
1094 1095 user=self, cache=None, calculate_super_admin=True)
1095 1096
1096 1097 def permissions_with_scope(self, scope):
1097 1098 """
1098 1099 Call the get_perms function with scoped data. The scope in that function
1099 1100 narrows the SQL calls to the given ID of objects resulting in fetching
1100 1101 Just particular permission we want to obtain. If scope is an empty dict
1101 1102 then it basically narrows the scope to GLOBAL permissions only.
1102 1103
1103 1104 :param scope: dict
1104 1105 """
1105 1106 if 'repo_name' in scope:
1106 1107 obj = Repository.get_by_repo_name(scope['repo_name'])
1107 1108 if obj:
1108 1109 scope['repo_id'] = obj.repo_id
1109 1110 _scope = collections.OrderedDict()
1110 1111 _scope['repo_id'] = -1
1111 1112 _scope['user_group_id'] = -1
1112 1113 _scope['repo_group_id'] = -1
1113 1114
1114 1115 for k in sorted(scope.keys()):
1115 1116 _scope[k] = scope[k]
1116 1117
1117 1118 # store in cache to mimic how the @LazyProperty works,
1118 1119 # the difference here is that we use the unique key calculated
1119 1120 # from params and values
1120 1121 return self.get_perms(user=self, cache=None, scope=_scope)
1121 1122
1122 1123 def get_instance(self):
1123 1124 return User.get(self.user_id)
1124 1125
1125 1126 def propagate_data(self):
1126 1127 """
1127 1128 Fills in user data and propagates values to this instance. Maps fetched
1128 1129 user attributes to this class instance attributes
1129 1130 """
1130 1131 log.debug('AuthUser: starting data propagation for new potential user')
1131 1132 user_model = UserModel()
1132 1133 anon_user = self.anonymous_user = User.get_default_user(cache=True)
1133 1134 is_user_loaded = False
1134 1135
1135 1136 # lookup by userid
1136 1137 if self.user_id is not None and self.user_id != anon_user.user_id:
1137 1138 log.debug('Trying Auth User lookup by USER ID: `%s`', self.user_id)
1138 1139 is_user_loaded = user_model.fill_data(self, user_id=self.user_id)
1139 1140
1140 1141 # try go get user by api key
1141 1142 elif self._api_key and self._api_key != anon_user.api_key:
1142 1143 log.debug('Trying Auth User lookup by API KEY: `%s`', self._api_key)
1143 1144 is_user_loaded = user_model.fill_data(self, api_key=self._api_key)
1144 1145
1145 1146 # lookup by username
1146 1147 elif self.username:
1147 1148 log.debug('Trying Auth User lookup by USER NAME: `%s`', self.username)
1148 1149 is_user_loaded = user_model.fill_data(self, username=self.username)
1149 1150 else:
1150 1151 log.debug('No data in %s that could been used to log in', self)
1151 1152
1152 1153 if not is_user_loaded:
1153 1154 log.debug(
1154 1155 'Failed to load user. Fallback to default user %s', anon_user)
1155 1156 # if we cannot authenticate user try anonymous
1156 1157 if anon_user.active:
1157 1158 log.debug('default user is active, using it as a session user')
1158 1159 user_model.fill_data(self, user_id=anon_user.user_id)
1159 1160 # then we set this user is logged in
1160 1161 self.is_authenticated = True
1161 1162 else:
1162 1163 log.debug('default user is NOT active')
1163 1164 # in case of disabled anonymous user we reset some of the
1164 1165 # parameters so such user is "corrupted", skipping the fill_data
1165 1166 for attr in ['user_id', 'username', 'admin', 'active']:
1166 1167 setattr(self, attr, None)
1167 1168 self.is_authenticated = False
1168 1169
1169 1170 if not self.username:
1170 1171 self.username = 'None'
1171 1172
1172 1173 log.debug('AuthUser: propagated user is now %s', self)
1173 1174
1174 1175 def get_perms(self, user, scope=None, explicit=True, algo='higherwin',
1175 1176 calculate_super_admin=False, cache=None):
1176 1177 """
1177 1178 Fills user permission attribute with permissions taken from database
1178 1179 works for permissions given for repositories, and for permissions that
1179 1180 are granted to groups
1180 1181
1181 1182 :param user: instance of User object from database
1182 1183 :param explicit: In case there are permissions both for user and a group
1183 1184 that user is part of, explicit flag will defiine if user will
1184 1185 explicitly override permissions from group, if it's False it will
1185 1186 make decision based on the algo
1186 1187 :param algo: algorithm to decide what permission should be choose if
1187 1188 it's multiple defined, eg user in two different groups. It also
1188 1189 decides if explicit flag is turned off how to specify the permission
1189 1190 for case when user is in a group + have defined separate permission
1190 1191 :param calculate_super_admin: calculate permissions for super-admin in the
1191 1192 same way as for regular user without speedups
1192 1193 :param cache: Use caching for calculation, None = let the cache backend decide
1193 1194 """
1194 1195 user_id = user.user_id
1195 1196 user_is_admin = user.is_admin
1196 1197
1197 1198 # inheritance of global permissions like create repo/fork repo etc
1198 1199 user_inherit_default_permissions = user.inherit_default_permissions
1199 1200
1200 1201 cache_seconds = safe_int(
1201 1202 rhodecode.CONFIG.get('rc_cache.cache_perms.expiration_time'))
1202 1203
1203 1204 if cache is None:
1204 1205 # let the backend cache decide
1205 1206 cache_on = cache_seconds > 0
1206 1207 else:
1207 1208 cache_on = cache
1208 1209
1209 1210 log.debug(
1210 1211 'Computing PERMISSION tree for user %s scope `%s` '
1211 1212 'with caching: %s[TTL: %ss]', user, scope, cache_on, cache_seconds or 0)
1212 1213
1213 1214 cache_namespace_uid = 'cache_user_auth.{}'.format(user_id)
1214 1215 region = rc_cache.get_or_create_region('cache_perms', cache_namespace_uid)
1215 1216
1216 1217 @region.conditional_cache_on_arguments(namespace=cache_namespace_uid,
1217 1218 condition=cache_on)
1218 1219 def compute_perm_tree(cache_name,
1219 1220 user_id, scope, user_is_admin,user_inherit_default_permissions,
1220 1221 explicit, algo, calculate_super_admin):
1221 1222 return _cached_perms_data(
1222 1223 user_id, scope, user_is_admin, user_inherit_default_permissions,
1223 1224 explicit, algo, calculate_super_admin)
1224 1225
1225 1226 start = time.time()
1226 1227 result = compute_perm_tree(
1227 1228 'permissions', user_id, scope, user_is_admin,
1228 1229 user_inherit_default_permissions, explicit, algo,
1229 1230 calculate_super_admin)
1230 1231
1231 1232 result_repr = []
1232 1233 for k in result:
1233 1234 result_repr.append((k, len(result[k])))
1234 1235 total = time.time() - start
1235 1236 log.debug('PERMISSION tree for user %s computed in %.3fs: %s',
1236 1237 user, total, result_repr)
1237 1238
1238 1239 return result
1239 1240
1240 1241 @property
1241 1242 def is_default(self):
1242 1243 return self.username == User.DEFAULT_USER
1243 1244
1244 1245 @property
1245 1246 def is_admin(self):
1246 1247 return self.admin
1247 1248
1248 1249 @property
1249 1250 def is_user_object(self):
1250 1251 return self.user_id is not None
1251 1252
1252 1253 @property
1253 1254 def repositories_admin(self):
1254 1255 """
1255 1256 Returns list of repositories you're an admin of
1256 1257 """
1257 1258 return [
1258 1259 x[0] for x in self.permissions['repositories'].items()
1259 1260 if x[1] == 'repository.admin']
1260 1261
1261 1262 @property
1262 1263 def repository_groups_admin(self):
1263 1264 """
1264 1265 Returns list of repository groups you're an admin of
1265 1266 """
1266 1267 return [
1267 1268 x[0] for x in self.permissions['repositories_groups'].items()
1268 1269 if x[1] == 'group.admin']
1269 1270
1270 1271 @property
1271 1272 def user_groups_admin(self):
1272 1273 """
1273 1274 Returns list of user groups you're an admin of
1274 1275 """
1275 1276 return [
1276 1277 x[0] for x in self.permissions['user_groups'].items()
1277 1278 if x[1] == 'usergroup.admin']
1278 1279
1279 1280 def repo_acl_ids(self, perms=None, name_filter=None, cache=False):
1280 1281 """
1281 1282 Returns list of repository ids that user have access to based on given
1282 1283 perms. The cache flag should be only used in cases that are used for
1283 1284 display purposes, NOT IN ANY CASE for permission checks.
1284 1285 """
1285 1286 from rhodecode.model.scm import RepoList
1286 1287 if not perms:
1287 1288 perms = [
1288 1289 'repository.read', 'repository.write', 'repository.admin']
1289 1290
1290 1291 def _cached_repo_acl(user_id, perm_def, _name_filter):
1291 1292 qry = Repository.query()
1292 1293 if _name_filter:
1293 1294 ilike_expression = u'%{}%'.format(safe_unicode(_name_filter))
1294 1295 qry = qry.filter(
1295 1296 Repository.repo_name.ilike(ilike_expression))
1296 1297
1297 1298 return [x.repo_id for x in
1298 1299 RepoList(qry, perm_set=perm_def)]
1299 1300
1300 1301 return _cached_repo_acl(self.user_id, perms, name_filter)
1301 1302
1302 1303 def repo_group_acl_ids(self, perms=None, name_filter=None, cache=False):
1303 1304 """
1304 1305 Returns list of repository group ids that user have access to based on given
1305 1306 perms. The cache flag should be only used in cases that are used for
1306 1307 display purposes, NOT IN ANY CASE for permission checks.
1307 1308 """
1308 1309 from rhodecode.model.scm import RepoGroupList
1309 1310 if not perms:
1310 1311 perms = [
1311 1312 'group.read', 'group.write', 'group.admin']
1312 1313
1313 1314 def _cached_repo_group_acl(user_id, perm_def, _name_filter):
1314 1315 qry = RepoGroup.query()
1315 1316 if _name_filter:
1316 1317 ilike_expression = u'%{}%'.format(safe_unicode(_name_filter))
1317 1318 qry = qry.filter(
1318 1319 RepoGroup.group_name.ilike(ilike_expression))
1319 1320
1320 1321 return [x.group_id for x in
1321 1322 RepoGroupList(qry, perm_set=perm_def)]
1322 1323
1323 1324 return _cached_repo_group_acl(self.user_id, perms, name_filter)
1324 1325
1325 1326 def user_group_acl_ids(self, perms=None, name_filter=None, cache=False):
1326 1327 """
1327 1328 Returns list of user group ids that user have access to based on given
1328 1329 perms. The cache flag should be only used in cases that are used for
1329 1330 display purposes, NOT IN ANY CASE for permission checks.
1330 1331 """
1331 1332 from rhodecode.model.scm import UserGroupList
1332 1333 if not perms:
1333 1334 perms = [
1334 1335 'usergroup.read', 'usergroup.write', 'usergroup.admin']
1335 1336
1336 1337 def _cached_user_group_acl(user_id, perm_def, name_filter):
1337 1338 qry = UserGroup.query()
1338 1339 if name_filter:
1339 1340 ilike_expression = u'%{}%'.format(safe_unicode(name_filter))
1340 1341 qry = qry.filter(
1341 1342 UserGroup.users_group_name.ilike(ilike_expression))
1342 1343
1343 1344 return [x.users_group_id for x in
1344 1345 UserGroupList(qry, perm_set=perm_def)]
1345 1346
1346 1347 return _cached_user_group_acl(self.user_id, perms, name_filter)
1347 1348
1348 1349 @property
1349 1350 def ip_allowed(self):
1350 1351 """
1351 1352 Checks if ip_addr used in constructor is allowed from defined list of
1352 1353 allowed ip_addresses for user
1353 1354
1354 1355 :returns: boolean, True if ip is in allowed ip range
1355 1356 """
1356 1357 # check IP
1357 1358 inherit = self.inherit_default_permissions
1358 1359 return AuthUser.check_ip_allowed(self.user_id, self.ip_addr,
1359 1360 inherit_from_default=inherit)
1360 1361 @property
1361 1362 def personal_repo_group(self):
1362 1363 return RepoGroup.get_user_personal_repo_group(self.user_id)
1363 1364
1364 1365 @LazyProperty
1365 1366 def feed_token(self):
1366 1367 return self.get_instance().feed_token
1367 1368
1368 1369 @classmethod
1369 1370 def check_ip_allowed(cls, user_id, ip_addr, inherit_from_default):
1370 1371 allowed_ips = AuthUser.get_allowed_ips(
1371 1372 user_id, cache=True, inherit_from_default=inherit_from_default)
1372 1373 if check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips):
1373 1374 log.debug('IP:%s for user %s is in range of %s',
1374 1375 ip_addr, user_id, allowed_ips)
1375 1376 return True
1376 1377 else:
1377 1378 log.info('Access for IP:%s forbidden for user %s, '
1378 1379 'not in %s', ip_addr, user_id, allowed_ips)
1379 1380 return False
1380 1381
1381 1382 def get_branch_permissions(self, repo_name, perms=None):
1382 1383 perms = perms or self.permissions_with_scope({'repo_name': repo_name})
1383 1384 branch_perms = perms.get('repository_branches', {})
1384 1385 if not branch_perms:
1385 1386 return {}
1386 1387 repo_branch_perms = branch_perms.get(repo_name)
1387 1388 return repo_branch_perms or {}
1388 1389
1389 1390 def get_rule_and_branch_permission(self, repo_name, branch_name):
1390 1391 """
1391 1392 Check if this AuthUser has defined any permissions for branches. If any of
1392 1393 the rules match in order, we return the matching permissions
1393 1394 """
1394 1395
1395 1396 rule = default_perm = ''
1396 1397
1397 1398 repo_branch_perms = self.get_branch_permissions(repo_name=repo_name)
1398 1399 if not repo_branch_perms:
1399 1400 return rule, default_perm
1400 1401
1401 1402 # now calculate the permissions
1402 1403 for pattern, branch_perm in repo_branch_perms.items():
1403 1404 if fnmatch.fnmatch(branch_name, pattern):
1404 1405 rule = '`{}`=>{}'.format(pattern, branch_perm)
1405 1406 return rule, branch_perm
1406 1407
1407 1408 return rule, default_perm
1408 1409
1409 1410 def __repr__(self):
1410 1411 return "<AuthUser('id:%s[%s] ip:%s auth:%s')>"\
1411 1412 % (self.user_id, self.username, self.ip_addr, self.is_authenticated)
1412 1413
1413 1414 def set_authenticated(self, authenticated=True):
1414 1415 if self.user_id != self.anonymous_user.user_id:
1415 1416 self.is_authenticated = authenticated
1416 1417
1417 1418 def get_cookie_store(self):
1418 1419 return {
1419 1420 'username': self.username,
1420 1421 'password': md5(self.password or ''),
1421 1422 'user_id': self.user_id,
1422 1423 'is_authenticated': self.is_authenticated
1423 1424 }
1424 1425
1425 1426 @classmethod
1426 1427 def from_cookie_store(cls, cookie_store):
1427 1428 """
1428 1429 Creates AuthUser from a cookie store
1429 1430
1430 1431 :param cls:
1431 1432 :param cookie_store:
1432 1433 """
1433 1434 user_id = cookie_store.get('user_id')
1434 1435 username = cookie_store.get('username')
1435 1436 api_key = cookie_store.get('api_key')
1436 1437 return AuthUser(user_id, api_key, username)
1437 1438
1438 1439 @classmethod
1439 1440 def get_allowed_ips(cls, user_id, cache=False, inherit_from_default=False):
1440 1441 _set = set()
1441 1442
1442 1443 if inherit_from_default:
1443 1444 def_user_id = User.get_default_user(cache=True).user_id
1444 1445 default_ips = UserIpMap.query().filter(UserIpMap.user_id == def_user_id)
1445 1446 if cache:
1446 1447 default_ips = default_ips.options(
1447 1448 FromCache("sql_cache_short", "get_user_ips_default"))
1448 1449
1449 1450 # populate from default user
1450 1451 for ip in default_ips:
1451 1452 try:
1452 1453 _set.add(ip.ip_addr)
1453 1454 except ObjectDeletedError:
1454 1455 # since we use heavy caching sometimes it happens that
1455 1456 # we get deleted objects here, we just skip them
1456 1457 pass
1457 1458
1458 1459 # NOTE:(marcink) we don't want to load any rules for empty
1459 1460 # user_id which is the case of access of non logged users when anonymous
1460 1461 # access is disabled
1461 1462 user_ips = []
1462 1463 if user_id:
1463 1464 user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id)
1464 1465 if cache:
1465 1466 user_ips = user_ips.options(
1466 1467 FromCache("sql_cache_short", "get_user_ips_%s" % user_id))
1467 1468
1468 1469 for ip in user_ips:
1469 1470 try:
1470 1471 _set.add(ip.ip_addr)
1471 1472 except ObjectDeletedError:
1472 1473 # since we use heavy caching sometimes it happens that we get
1473 1474 # deleted objects here, we just skip them
1474 1475 pass
1475 1476 return _set or {ip for ip in ['0.0.0.0/0', '::/0']}
1476 1477
1477 1478
1478 1479 def set_available_permissions(settings):
1479 1480 """
1480 1481 This function will propagate pyramid settings with all available defined
1481 1482 permission given in db. We don't want to check each time from db for new
1482 1483 permissions since adding a new permission also requires application restart
1483 1484 ie. to decorate new views with the newly created permission
1484 1485
1485 1486 :param settings: current pyramid registry.settings
1486 1487
1487 1488 """
1488 1489 log.debug('auth: getting information about all available permissions')
1489 1490 try:
1490 1491 sa = meta.Session
1491 1492 all_perms = sa.query(Permission).all()
1492 1493 settings.setdefault('available_permissions',
1493 1494 [x.permission_name for x in all_perms])
1494 1495 log.debug('auth: set available permissions')
1495 1496 except Exception:
1496 1497 log.exception('Failed to fetch permissions from the database.')
1497 1498 raise
1498 1499
1499 1500
1500 1501 def get_csrf_token(session, force_new=False, save_if_missing=True):
1501 1502 """
1502 1503 Return the current authentication token, creating one if one doesn't
1503 1504 already exist and the save_if_missing flag is present.
1504 1505
1505 1506 :param session: pass in the pyramid session, else we use the global ones
1506 1507 :param force_new: force to re-generate the token and store it in session
1507 1508 :param save_if_missing: save the newly generated token if it's missing in
1508 1509 session
1509 1510 """
1510 1511 # NOTE(marcink): probably should be replaced with below one from pyramid 1.9
1511 1512 # from pyramid.csrf import get_csrf_token
1512 1513
1513 1514 if (csrf_token_key not in session and save_if_missing) or force_new:
1514 1515 token = hashlib.sha1(str(random.getrandbits(128))).hexdigest()
1515 1516 session[csrf_token_key] = token
1516 1517 if hasattr(session, 'save'):
1517 1518 session.save()
1518 1519 return session.get(csrf_token_key)
1519 1520
1520 1521
1521 1522 def get_request(perm_class_instance):
1522 1523 from pyramid.threadlocal import get_current_request
1523 1524 pyramid_request = get_current_request()
1524 1525 return pyramid_request
1525 1526
1526 1527
1527 1528 # CHECK DECORATORS
1528 1529 class CSRFRequired(object):
1529 1530 """
1530 1531 Decorator for authenticating a form
1531 1532
1532 1533 This decorator uses an authorization token stored in the client's
1533 1534 session for prevention of certain Cross-site request forgery (CSRF)
1534 1535 attacks (See
1535 1536 http://en.wikipedia.org/wiki/Cross-site_request_forgery for more
1536 1537 information).
1537 1538
1538 1539 For use with the ``webhelpers.secure_form`` helper functions.
1539 1540
1540 1541 """
1541 1542 def __init__(self, token=csrf_token_key, header='X-CSRF-Token',
1542 1543 except_methods=None):
1543 1544 self.token = token
1544 1545 self.header = header
1545 1546 self.except_methods = except_methods or []
1546 1547
1547 1548 def __call__(self, func):
1548 1549 return get_cython_compat_decorator(self.__wrapper, func)
1549 1550
1550 1551 def _get_csrf(self, _request):
1551 1552 return _request.POST.get(self.token, _request.headers.get(self.header))
1552 1553
1553 1554 def check_csrf(self, _request, cur_token):
1554 1555 supplied_token = self._get_csrf(_request)
1555 1556 return supplied_token and supplied_token == cur_token
1556 1557
1557 1558 def _get_request(self):
1558 1559 return get_request(self)
1559 1560
1560 1561 def __wrapper(self, func, *fargs, **fkwargs):
1561 1562 request = self._get_request()
1562 1563
1563 1564 if request.method in self.except_methods:
1564 1565 return func(*fargs, **fkwargs)
1565 1566
1566 1567 cur_token = get_csrf_token(request.session, save_if_missing=False)
1567 1568 if self.check_csrf(request, cur_token):
1568 1569 if request.POST.get(self.token):
1569 1570 del request.POST[self.token]
1570 1571 return func(*fargs, **fkwargs)
1571 1572 else:
1572 1573 reason = 'token-missing'
1573 1574 supplied_token = self._get_csrf(request)
1574 1575 if supplied_token and cur_token != supplied_token:
1575 1576 reason = 'token-mismatch [%s:%s]' % (
1576 1577 cur_token or ''[:6], supplied_token or ''[:6])
1577 1578
1578 1579 csrf_message = \
1579 1580 ("Cross-site request forgery detected, request denied. See "
1580 1581 "http://en.wikipedia.org/wiki/Cross-site_request_forgery for "
1581 1582 "more information.")
1582 1583 log.warn('Cross-site request forgery detected, request %r DENIED: %s '
1583 1584 'REMOTE_ADDR:%s, HEADERS:%s' % (
1584 1585 request, reason, request.remote_addr, request.headers))
1585 1586
1586 1587 raise HTTPForbidden(explanation=csrf_message)
1587 1588
1588 1589
1589 1590 class LoginRequired(object):
1590 1591 """
1591 1592 Must be logged in to execute this function else
1592 1593 redirect to login page
1593 1594
1594 1595 :param api_access: if enabled this checks only for valid auth token
1595 1596 and grants access based on valid token
1596 1597 """
1597 1598 def __init__(self, auth_token_access=None):
1598 1599 self.auth_token_access = auth_token_access
1599 1600
1600 1601 def __call__(self, func):
1601 1602 return get_cython_compat_decorator(self.__wrapper, func)
1602 1603
1603 1604 def _get_request(self):
1604 1605 return get_request(self)
1605 1606
1606 1607 def __wrapper(self, func, *fargs, **fkwargs):
1607 1608 from rhodecode.lib import helpers as h
1608 1609 cls = fargs[0]
1609 1610 user = cls._rhodecode_user
1610 1611 request = self._get_request()
1611 1612 _ = request.translate
1612 1613
1613 1614 loc = "%s:%s" % (cls.__class__.__name__, func.__name__)
1614 1615 log.debug('Starting login restriction checks for user: %s', user)
1615 1616 # check if our IP is allowed
1616 1617 ip_access_valid = True
1617 1618 if not user.ip_allowed:
1618 1619 h.flash(h.literal(_('IP %s not allowed' % (user.ip_addr,))),
1619 1620 category='warning')
1620 1621 ip_access_valid = False
1621 1622
1622 1623 # check if we used an APIKEY and it's a valid one
1623 1624 # defined white-list of controllers which API access will be enabled
1624 1625 _auth_token = request.GET.get(
1625 1626 'auth_token', '') or request.GET.get('api_key', '')
1626 1627 auth_token_access_valid = allowed_auth_token_access(
1627 1628 loc, auth_token=_auth_token)
1628 1629
1629 1630 # explicit controller is enabled or API is in our whitelist
1630 1631 if self.auth_token_access or auth_token_access_valid:
1631 1632 log.debug('Checking AUTH TOKEN access for %s', cls)
1632 1633 db_user = user.get_instance()
1633 1634
1634 1635 if db_user:
1635 1636 if self.auth_token_access:
1636 1637 roles = self.auth_token_access
1637 1638 else:
1638 1639 roles = [UserApiKeys.ROLE_HTTP]
1639 1640 token_match = db_user.authenticate_by_token(
1640 1641 _auth_token, roles=roles)
1641 1642 else:
1642 1643 log.debug('Unable to fetch db instance for auth user: %s', user)
1643 1644 token_match = False
1644 1645
1645 1646 if _auth_token and token_match:
1646 1647 auth_token_access_valid = True
1647 1648 log.debug('AUTH TOKEN ****%s is VALID', _auth_token[-4:])
1648 1649 else:
1649 1650 auth_token_access_valid = False
1650 1651 if not _auth_token:
1651 1652 log.debug("AUTH TOKEN *NOT* present in request")
1652 1653 else:
1653 1654 log.warning("AUTH TOKEN ****%s *NOT* valid", _auth_token[-4:])
1654 1655
1655 1656 log.debug('Checking if %s is authenticated @ %s', user.username, loc)
1656 1657 reason = 'RHODECODE_AUTH' if user.is_authenticated \
1657 1658 else 'AUTH_TOKEN_AUTH'
1658 1659
1659 1660 if ip_access_valid and (
1660 1661 user.is_authenticated or auth_token_access_valid):
1661 1662 log.info('user %s authenticating with:%s IS authenticated on func %s',
1662 1663 user, reason, loc)
1663 1664
1664 1665 return func(*fargs, **fkwargs)
1665 1666 else:
1666 1667 log.warning(
1667 1668 'user %s authenticating with:%s NOT authenticated on '
1668 1669 'func: %s: IP_ACCESS:%s AUTH_TOKEN_ACCESS:%s',
1669 1670 user, reason, loc, ip_access_valid, auth_token_access_valid)
1670 1671 # we preserve the get PARAM
1671 1672 came_from = get_came_from(request)
1672 1673
1673 1674 log.debug('redirecting to login page with %s', came_from)
1674 1675 raise HTTPFound(
1675 1676 h.route_path('login', _query={'came_from': came_from}))
1676 1677
1677 1678
1678 1679 class NotAnonymous(object):
1679 1680 """
1680 1681 Must be logged in to execute this function else
1681 1682 redirect to login page
1682 1683 """
1683 1684
1684 1685 def __call__(self, func):
1685 1686 return get_cython_compat_decorator(self.__wrapper, func)
1686 1687
1687 1688 def _get_request(self):
1688 1689 return get_request(self)
1689 1690
1690 1691 def __wrapper(self, func, *fargs, **fkwargs):
1691 1692 import rhodecode.lib.helpers as h
1692 1693 cls = fargs[0]
1693 1694 self.user = cls._rhodecode_user
1694 1695 request = self._get_request()
1695 1696 _ = request.translate
1696 1697 log.debug('Checking if user is not anonymous @%s', cls)
1697 1698
1698 1699 anonymous = self.user.username == User.DEFAULT_USER
1699 1700
1700 1701 if anonymous:
1701 1702 came_from = get_came_from(request)
1702 1703 h.flash(_('You need to be a registered user to '
1703 1704 'perform this action'),
1704 1705 category='warning')
1705 1706 raise HTTPFound(
1706 1707 h.route_path('login', _query={'came_from': came_from}))
1707 1708 else:
1708 1709 return func(*fargs, **fkwargs)
1709 1710
1710 1711
1711 1712 class PermsDecorator(object):
1712 1713 """
1713 1714 Base class for controller decorators, we extract the current user from
1714 1715 the class itself, which has it stored in base controllers
1715 1716 """
1716 1717
1717 1718 def __init__(self, *required_perms):
1718 1719 self.required_perms = set(required_perms)
1719 1720
1720 1721 def __call__(self, func):
1721 1722 return get_cython_compat_decorator(self.__wrapper, func)
1722 1723
1723 1724 def _get_request(self):
1724 1725 return get_request(self)
1725 1726
1726 1727 def __wrapper(self, func, *fargs, **fkwargs):
1727 1728 import rhodecode.lib.helpers as h
1728 1729 cls = fargs[0]
1729 1730 _user = cls._rhodecode_user
1730 1731 request = self._get_request()
1731 1732 _ = request.translate
1732 1733
1733 1734 log.debug('checking %s permissions %s for %s %s',
1734 1735 self.__class__.__name__, self.required_perms, cls, _user)
1735 1736
1736 1737 if self.check_permissions(_user):
1737 1738 log.debug('Permission granted for %s %s', cls, _user)
1738 1739 return func(*fargs, **fkwargs)
1739 1740
1740 1741 else:
1741 1742 log.debug('Permission denied for %s %s', cls, _user)
1742 1743 anonymous = _user.username == User.DEFAULT_USER
1743 1744
1744 1745 if anonymous:
1745 1746 came_from = get_came_from(self._get_request())
1746 1747 h.flash(_('You need to be signed in to view this page'),
1747 1748 category='warning')
1748 1749 raise HTTPFound(
1749 1750 h.route_path('login', _query={'came_from': came_from}))
1750 1751
1751 1752 else:
1752 1753 # redirect with 404 to prevent resource discovery
1753 1754 raise HTTPNotFound()
1754 1755
1755 1756 def check_permissions(self, user):
1756 1757 """Dummy function for overriding"""
1757 1758 raise NotImplementedError(
1758 1759 'You have to write this function in child class')
1759 1760
1760 1761
1761 1762 class HasPermissionAllDecorator(PermsDecorator):
1762 1763 """
1763 1764 Checks for access permission for all given predicates. All of them
1764 1765 have to be meet in order to fulfill the request
1765 1766 """
1766 1767
1767 1768 def check_permissions(self, user):
1768 1769 perms = user.permissions_with_scope({})
1769 1770 if self.required_perms.issubset(perms['global']):
1770 1771 return True
1771 1772 return False
1772 1773
1773 1774
1774 1775 class HasPermissionAnyDecorator(PermsDecorator):
1775 1776 """
1776 1777 Checks for access permission for any of given predicates. In order to
1777 1778 fulfill the request any of predicates must be meet
1778 1779 """
1779 1780
1780 1781 def check_permissions(self, user):
1781 1782 perms = user.permissions_with_scope({})
1782 1783 if self.required_perms.intersection(perms['global']):
1783 1784 return True
1784 1785 return False
1785 1786
1786 1787
1787 1788 class HasRepoPermissionAllDecorator(PermsDecorator):
1788 1789 """
1789 1790 Checks for access permission for all given predicates for specific
1790 1791 repository. All of them have to be meet in order to fulfill the request
1791 1792 """
1792 1793 def _get_repo_name(self):
1793 1794 _request = self._get_request()
1794 1795 return get_repo_slug(_request)
1795 1796
1796 1797 def check_permissions(self, user):
1797 1798 perms = user.permissions
1798 1799 repo_name = self._get_repo_name()
1799 1800
1800 1801 try:
1801 1802 user_perms = {perms['repositories'][repo_name]}
1802 1803 except KeyError:
1803 1804 log.debug('cannot locate repo with name: `%s` in permissions defs',
1804 1805 repo_name)
1805 1806 return False
1806 1807
1807 1808 log.debug('checking `%s` permissions for repo `%s`',
1808 1809 user_perms, repo_name)
1809 1810 if self.required_perms.issubset(user_perms):
1810 1811 return True
1811 1812 return False
1812 1813
1813 1814
1814 1815 class HasRepoPermissionAnyDecorator(PermsDecorator):
1815 1816 """
1816 1817 Checks for access permission for any of given predicates for specific
1817 1818 repository. In order to fulfill the request any of predicates must be meet
1818 1819 """
1819 1820 def _get_repo_name(self):
1820 1821 _request = self._get_request()
1821 1822 return get_repo_slug(_request)
1822 1823
1823 1824 def check_permissions(self, user):
1824 1825 perms = user.permissions
1825 1826 repo_name = self._get_repo_name()
1826 1827
1827 1828 try:
1828 1829 user_perms = {perms['repositories'][repo_name]}
1829 1830 except KeyError:
1830 1831 log.debug(
1831 1832 'cannot locate repo with name: `%s` in permissions defs',
1832 1833 repo_name)
1833 1834 return False
1834 1835
1835 1836 log.debug('checking `%s` permissions for repo `%s`',
1836 1837 user_perms, repo_name)
1837 1838 if self.required_perms.intersection(user_perms):
1838 1839 return True
1839 1840 return False
1840 1841
1841 1842
1842 1843 class HasRepoGroupPermissionAllDecorator(PermsDecorator):
1843 1844 """
1844 1845 Checks for access permission for all given predicates for specific
1845 1846 repository group. All of them have to be meet in order to
1846 1847 fulfill the request
1847 1848 """
1848 1849 def _get_repo_group_name(self):
1849 1850 _request = self._get_request()
1850 1851 return get_repo_group_slug(_request)
1851 1852
1852 1853 def check_permissions(self, user):
1853 1854 perms = user.permissions
1854 1855 group_name = self._get_repo_group_name()
1855 1856 try:
1856 1857 user_perms = {perms['repositories_groups'][group_name]}
1857 1858 except KeyError:
1858 1859 log.debug(
1859 1860 'cannot locate repo group with name: `%s` in permissions defs',
1860 1861 group_name)
1861 1862 return False
1862 1863
1863 1864 log.debug('checking `%s` permissions for repo group `%s`',
1864 1865 user_perms, group_name)
1865 1866 if self.required_perms.issubset(user_perms):
1866 1867 return True
1867 1868 return False
1868 1869
1869 1870
1870 1871 class HasRepoGroupPermissionAnyDecorator(PermsDecorator):
1871 1872 """
1872 1873 Checks for access permission for any of given predicates for specific
1873 1874 repository group. In order to fulfill the request any
1874 1875 of predicates must be met
1875 1876 """
1876 1877 def _get_repo_group_name(self):
1877 1878 _request = self._get_request()
1878 1879 return get_repo_group_slug(_request)
1879 1880
1880 1881 def check_permissions(self, user):
1881 1882 perms = user.permissions
1882 1883 group_name = self._get_repo_group_name()
1883 1884
1884 1885 try:
1885 1886 user_perms = {perms['repositories_groups'][group_name]}
1886 1887 except KeyError:
1887 1888 log.debug(
1888 1889 'cannot locate repo group with name: `%s` in permissions defs',
1889 1890 group_name)
1890 1891 return False
1891 1892
1892 1893 log.debug('checking `%s` permissions for repo group `%s`',
1893 1894 user_perms, group_name)
1894 1895 if self.required_perms.intersection(user_perms):
1895 1896 return True
1896 1897 return False
1897 1898
1898 1899
1899 1900 class HasUserGroupPermissionAllDecorator(PermsDecorator):
1900 1901 """
1901 1902 Checks for access permission for all given predicates for specific
1902 1903 user group. All of them have to be meet in order to fulfill the request
1903 1904 """
1904 1905 def _get_user_group_name(self):
1905 1906 _request = self._get_request()
1906 1907 return get_user_group_slug(_request)
1907 1908
1908 1909 def check_permissions(self, user):
1909 1910 perms = user.permissions
1910 1911 group_name = self._get_user_group_name()
1911 1912 try:
1912 1913 user_perms = {perms['user_groups'][group_name]}
1913 1914 except KeyError:
1914 1915 return False
1915 1916
1916 1917 if self.required_perms.issubset(user_perms):
1917 1918 return True
1918 1919 return False
1919 1920
1920 1921
1921 1922 class HasUserGroupPermissionAnyDecorator(PermsDecorator):
1922 1923 """
1923 1924 Checks for access permission for any of given predicates for specific
1924 1925 user group. In order to fulfill the request any of predicates must be meet
1925 1926 """
1926 1927 def _get_user_group_name(self):
1927 1928 _request = self._get_request()
1928 1929 return get_user_group_slug(_request)
1929 1930
1930 1931 def check_permissions(self, user):
1931 1932 perms = user.permissions
1932 1933 group_name = self._get_user_group_name()
1933 1934 try:
1934 1935 user_perms = {perms['user_groups'][group_name]}
1935 1936 except KeyError:
1936 1937 return False
1937 1938
1938 1939 if self.required_perms.intersection(user_perms):
1939 1940 return True
1940 1941 return False
1941 1942
1942 1943
1943 1944 # CHECK FUNCTIONS
1944 1945 class PermsFunction(object):
1945 1946 """Base function for other check functions"""
1946 1947
1947 1948 def __init__(self, *perms):
1948 1949 self.required_perms = set(perms)
1949 1950 self.repo_name = None
1950 1951 self.repo_group_name = None
1951 1952 self.user_group_name = None
1952 1953
1953 1954 def __bool__(self):
1954 1955 frame = inspect.currentframe()
1955 1956 stack_trace = traceback.format_stack(frame)
1956 1957 log.error('Checking bool value on a class instance of perm '
1957 1958 'function is not allowed: %s', ''.join(stack_trace))
1958 1959 # rather than throwing errors, here we always return False so if by
1959 1960 # accident someone checks truth for just an instance it will always end
1960 1961 # up in returning False
1961 1962 return False
1962 1963 __nonzero__ = __bool__
1963 1964
1964 1965 def __call__(self, check_location='', user=None):
1965 1966 if not user:
1966 1967 log.debug('Using user attribute from global request')
1967 1968 request = self._get_request()
1968 1969 user = request.user
1969 1970
1970 1971 # init auth user if not already given
1971 1972 if not isinstance(user, AuthUser):
1972 1973 log.debug('Wrapping user %s into AuthUser', user)
1973 1974 user = AuthUser(user.user_id)
1974 1975
1975 1976 cls_name = self.__class__.__name__
1976 1977 check_scope = self._get_check_scope(cls_name)
1977 1978 check_location = check_location or 'unspecified location'
1978 1979
1979 1980 log.debug('checking cls:%s %s usr:%s %s @ %s', cls_name,
1980 1981 self.required_perms, user, check_scope, check_location)
1981 1982 if not user:
1982 1983 log.warning('Empty user given for permission check')
1983 1984 return False
1984 1985
1985 1986 if self.check_permissions(user):
1986 1987 log.debug('Permission to repo:`%s` GRANTED for user:`%s` @ %s',
1987 1988 check_scope, user, check_location)
1988 1989 return True
1989 1990
1990 1991 else:
1991 1992 log.debug('Permission to repo:`%s` DENIED for user:`%s` @ %s',
1992 1993 check_scope, user, check_location)
1993 1994 return False
1994 1995
1995 1996 def _get_request(self):
1996 1997 return get_request(self)
1997 1998
1998 1999 def _get_check_scope(self, cls_name):
1999 2000 return {
2000 2001 'HasPermissionAll': 'GLOBAL',
2001 2002 'HasPermissionAny': 'GLOBAL',
2002 2003 'HasRepoPermissionAll': 'repo:%s' % self.repo_name,
2003 2004 'HasRepoPermissionAny': 'repo:%s' % self.repo_name,
2004 2005 'HasRepoGroupPermissionAll': 'repo_group:%s' % self.repo_group_name,
2005 2006 'HasRepoGroupPermissionAny': 'repo_group:%s' % self.repo_group_name,
2006 2007 'HasUserGroupPermissionAll': 'user_group:%s' % self.user_group_name,
2007 2008 'HasUserGroupPermissionAny': 'user_group:%s' % self.user_group_name,
2008 2009 }.get(cls_name, '?:%s' % cls_name)
2009 2010
2010 2011 def check_permissions(self, user):
2011 2012 """Dummy function for overriding"""
2012 2013 raise Exception('You have to write this function in child class')
2013 2014
2014 2015
2015 2016 class HasPermissionAll(PermsFunction):
2016 2017 def check_permissions(self, user):
2017 2018 perms = user.permissions_with_scope({})
2018 2019 if self.required_perms.issubset(perms.get('global')):
2019 2020 return True
2020 2021 return False
2021 2022
2022 2023
2023 2024 class HasPermissionAny(PermsFunction):
2024 2025 def check_permissions(self, user):
2025 2026 perms = user.permissions_with_scope({})
2026 2027 if self.required_perms.intersection(perms.get('global')):
2027 2028 return True
2028 2029 return False
2029 2030
2030 2031
2031 2032 class HasRepoPermissionAll(PermsFunction):
2032 2033 def __call__(self, repo_name=None, check_location='', user=None):
2033 2034 self.repo_name = repo_name
2034 2035 return super(HasRepoPermissionAll, self).__call__(check_location, user)
2035 2036
2036 2037 def _get_repo_name(self):
2037 2038 if not self.repo_name:
2038 2039 _request = self._get_request()
2039 2040 self.repo_name = get_repo_slug(_request)
2040 2041 return self.repo_name
2041 2042
2042 2043 def check_permissions(self, user):
2043 2044 self.repo_name = self._get_repo_name()
2044 2045 perms = user.permissions
2045 2046 try:
2046 2047 user_perms = {perms['repositories'][self.repo_name]}
2047 2048 except KeyError:
2048 2049 return False
2049 2050 if self.required_perms.issubset(user_perms):
2050 2051 return True
2051 2052 return False
2052 2053
2053 2054
2054 2055 class HasRepoPermissionAny(PermsFunction):
2055 2056 def __call__(self, repo_name=None, check_location='', user=None):
2056 2057 self.repo_name = repo_name
2057 2058 return super(HasRepoPermissionAny, self).__call__(check_location, user)
2058 2059
2059 2060 def _get_repo_name(self):
2060 2061 if not self.repo_name:
2061 2062 _request = self._get_request()
2062 2063 self.repo_name = get_repo_slug(_request)
2063 2064 return self.repo_name
2064 2065
2065 2066 def check_permissions(self, user):
2066 2067 self.repo_name = self._get_repo_name()
2067 2068 perms = user.permissions
2068 2069 try:
2069 2070 user_perms = {perms['repositories'][self.repo_name]}
2070 2071 except KeyError:
2071 2072 return False
2072 2073 if self.required_perms.intersection(user_perms):
2073 2074 return True
2074 2075 return False
2075 2076
2076 2077
2077 2078 class HasRepoGroupPermissionAny(PermsFunction):
2078 2079 def __call__(self, group_name=None, check_location='', user=None):
2079 2080 self.repo_group_name = group_name
2080 2081 return super(HasRepoGroupPermissionAny, self).__call__(
2081 2082 check_location, user)
2082 2083
2083 2084 def check_permissions(self, user):
2084 2085 perms = user.permissions
2085 2086 try:
2086 2087 user_perms = {perms['repositories_groups'][self.repo_group_name]}
2087 2088 except KeyError:
2088 2089 return False
2089 2090 if self.required_perms.intersection(user_perms):
2090 2091 return True
2091 2092 return False
2092 2093
2093 2094
2094 2095 class HasRepoGroupPermissionAll(PermsFunction):
2095 2096 def __call__(self, group_name=None, check_location='', user=None):
2096 2097 self.repo_group_name = group_name
2097 2098 return super(HasRepoGroupPermissionAll, self).__call__(
2098 2099 check_location, user)
2099 2100
2100 2101 def check_permissions(self, user):
2101 2102 perms = user.permissions
2102 2103 try:
2103 2104 user_perms = {perms['repositories_groups'][self.repo_group_name]}
2104 2105 except KeyError:
2105 2106 return False
2106 2107 if self.required_perms.issubset(user_perms):
2107 2108 return True
2108 2109 return False
2109 2110
2110 2111
2111 2112 class HasUserGroupPermissionAny(PermsFunction):
2112 2113 def __call__(self, user_group_name=None, check_location='', user=None):
2113 2114 self.user_group_name = user_group_name
2114 2115 return super(HasUserGroupPermissionAny, self).__call__(
2115 2116 check_location, user)
2116 2117
2117 2118 def check_permissions(self, user):
2118 2119 perms = user.permissions
2119 2120 try:
2120 2121 user_perms = {perms['user_groups'][self.user_group_name]}
2121 2122 except KeyError:
2122 2123 return False
2123 2124 if self.required_perms.intersection(user_perms):
2124 2125 return True
2125 2126 return False
2126 2127
2127 2128
2128 2129 class HasUserGroupPermissionAll(PermsFunction):
2129 2130 def __call__(self, user_group_name=None, check_location='', user=None):
2130 2131 self.user_group_name = user_group_name
2131 2132 return super(HasUserGroupPermissionAll, self).__call__(
2132 2133 check_location, user)
2133 2134
2134 2135 def check_permissions(self, user):
2135 2136 perms = user.permissions
2136 2137 try:
2137 2138 user_perms = {perms['user_groups'][self.user_group_name]}
2138 2139 except KeyError:
2139 2140 return False
2140 2141 if self.required_perms.issubset(user_perms):
2141 2142 return True
2142 2143 return False
2143 2144
2144 2145
2145 2146 # SPECIAL VERSION TO HANDLE MIDDLEWARE AUTH
2146 2147 class HasPermissionAnyMiddleware(object):
2147 2148 def __init__(self, *perms):
2148 2149 self.required_perms = set(perms)
2149 2150
2150 2151 def __call__(self, auth_user, repo_name):
2151 2152 # repo_name MUST be unicode, since we handle keys in permission
2152 2153 # dict by unicode
2153 2154 repo_name = safe_unicode(repo_name)
2154 2155 log.debug(
2155 2156 'Checking VCS protocol permissions %s for user:%s repo:`%s`',
2156 2157 self.required_perms, auth_user, repo_name)
2157 2158
2158 2159 if self.check_permissions(auth_user, repo_name):
2159 2160 log.debug('Permission to repo:`%s` GRANTED for user:%s @ %s',
2160 2161 repo_name, auth_user, 'PermissionMiddleware')
2161 2162 return True
2162 2163
2163 2164 else:
2164 2165 log.debug('Permission to repo:`%s` DENIED for user:%s @ %s',
2165 2166 repo_name, auth_user, 'PermissionMiddleware')
2166 2167 return False
2167 2168
2168 2169 def check_permissions(self, user, repo_name):
2169 2170 perms = user.permissions_with_scope({'repo_name': repo_name})
2170 2171
2171 2172 try:
2172 2173 user_perms = {perms['repositories'][repo_name]}
2173 2174 except Exception:
2174 2175 log.exception('Error while accessing user permissions')
2175 2176 return False
2176 2177
2177 2178 if self.required_perms.intersection(user_perms):
2178 2179 return True
2179 2180 return False
2180 2181
2181 2182
2182 2183 # SPECIAL VERSION TO HANDLE API AUTH
2183 2184 class _BaseApiPerm(object):
2184 2185 def __init__(self, *perms):
2185 2186 self.required_perms = set(perms)
2186 2187
2187 2188 def __call__(self, check_location=None, user=None, repo_name=None,
2188 2189 group_name=None, user_group_name=None):
2189 2190 cls_name = self.__class__.__name__
2190 2191 check_scope = 'global:%s' % (self.required_perms,)
2191 2192 if repo_name:
2192 2193 check_scope += ', repo_name:%s' % (repo_name,)
2193 2194
2194 2195 if group_name:
2195 2196 check_scope += ', repo_group_name:%s' % (group_name,)
2196 2197
2197 2198 if user_group_name:
2198 2199 check_scope += ', user_group_name:%s' % (user_group_name,)
2199 2200
2200 2201 log.debug('checking cls:%s %s %s @ %s',
2201 2202 cls_name, self.required_perms, check_scope, check_location)
2202 2203 if not user:
2203 2204 log.debug('Empty User passed into arguments')
2204 2205 return False
2205 2206
2206 2207 # process user
2207 2208 if not isinstance(user, AuthUser):
2208 2209 user = AuthUser(user.user_id)
2209 2210 if not check_location:
2210 2211 check_location = 'unspecified'
2211 2212 if self.check_permissions(user.permissions, repo_name, group_name,
2212 2213 user_group_name):
2213 2214 log.debug('Permission to repo:`%s` GRANTED for user:`%s` @ %s',
2214 2215 check_scope, user, check_location)
2215 2216 return True
2216 2217
2217 2218 else:
2218 2219 log.debug('Permission to repo:`%s` DENIED for user:`%s` @ %s',
2219 2220 check_scope, user, check_location)
2220 2221 return False
2221 2222
2222 2223 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
2223 2224 user_group_name=None):
2224 2225 """
2225 2226 implement in child class should return True if permissions are ok,
2226 2227 False otherwise
2227 2228
2228 2229 :param perm_defs: dict with permission definitions
2229 2230 :param repo_name: repo name
2230 2231 """
2231 2232 raise NotImplementedError()
2232 2233
2233 2234
2234 2235 class HasPermissionAllApi(_BaseApiPerm):
2235 2236 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
2236 2237 user_group_name=None):
2237 2238 if self.required_perms.issubset(perm_defs.get('global')):
2238 2239 return True
2239 2240 return False
2240 2241
2241 2242
2242 2243 class HasPermissionAnyApi(_BaseApiPerm):
2243 2244 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
2244 2245 user_group_name=None):
2245 2246 if self.required_perms.intersection(perm_defs.get('global')):
2246 2247 return True
2247 2248 return False
2248 2249
2249 2250
2250 2251 class HasRepoPermissionAllApi(_BaseApiPerm):
2251 2252 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
2252 2253 user_group_name=None):
2253 2254 try:
2254 2255 _user_perms = {perm_defs['repositories'][repo_name]}
2255 2256 except KeyError:
2256 2257 log.warning(traceback.format_exc())
2257 2258 return False
2258 2259 if self.required_perms.issubset(_user_perms):
2259 2260 return True
2260 2261 return False
2261 2262
2262 2263
2263 2264 class HasRepoPermissionAnyApi(_BaseApiPerm):
2264 2265 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
2265 2266 user_group_name=None):
2266 2267 try:
2267 2268 _user_perms = {perm_defs['repositories'][repo_name]}
2268 2269 except KeyError:
2269 2270 log.warning(traceback.format_exc())
2270 2271 return False
2271 2272 if self.required_perms.intersection(_user_perms):
2272 2273 return True
2273 2274 return False
2274 2275
2275 2276
2276 2277 class HasRepoGroupPermissionAnyApi(_BaseApiPerm):
2277 2278 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
2278 2279 user_group_name=None):
2279 2280 try:
2280 2281 _user_perms = {perm_defs['repositories_groups'][group_name]}
2281 2282 except KeyError:
2282 2283 log.warning(traceback.format_exc())
2283 2284 return False
2284 2285 if self.required_perms.intersection(_user_perms):
2285 2286 return True
2286 2287 return False
2287 2288
2288 2289
2289 2290 class HasRepoGroupPermissionAllApi(_BaseApiPerm):
2290 2291 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
2291 2292 user_group_name=None):
2292 2293 try:
2293 2294 _user_perms = {perm_defs['repositories_groups'][group_name]}
2294 2295 except KeyError:
2295 2296 log.warning(traceback.format_exc())
2296 2297 return False
2297 2298 if self.required_perms.issubset(_user_perms):
2298 2299 return True
2299 2300 return False
2300 2301
2301 2302
2302 2303 class HasUserGroupPermissionAnyApi(_BaseApiPerm):
2303 2304 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
2304 2305 user_group_name=None):
2305 2306 try:
2306 2307 _user_perms = {perm_defs['user_groups'][user_group_name]}
2307 2308 except KeyError:
2308 2309 log.warning(traceback.format_exc())
2309 2310 return False
2310 2311 if self.required_perms.intersection(_user_perms):
2311 2312 return True
2312 2313 return False
2313 2314
2314 2315
2315 2316 def check_ip_access(source_ip, allowed_ips=None):
2316 2317 """
2317 2318 Checks if source_ip is a subnet of any of allowed_ips.
2318 2319
2319 2320 :param source_ip:
2320 2321 :param allowed_ips: list of allowed ips together with mask
2321 2322 """
2322 2323 log.debug('checking if ip:%s is subnet of %s', source_ip, allowed_ips)
2323 2324 source_ip_address = ipaddress.ip_address(safe_unicode(source_ip))
2324 2325 if isinstance(allowed_ips, (tuple, list, set)):
2325 2326 for ip in allowed_ips:
2326 2327 ip = safe_unicode(ip)
2327 2328 try:
2328 2329 network_address = ipaddress.ip_network(ip, strict=False)
2329 2330 if source_ip_address in network_address:
2330 2331 log.debug('IP %s is network %s', source_ip_address, network_address)
2331 2332 return True
2332 2333 # for any case we cannot determine the IP, don't crash just
2333 2334 # skip it and log as error, we want to say forbidden still when
2334 2335 # sending bad IP
2335 2336 except Exception:
2336 2337 log.error(traceback.format_exc())
2337 2338 continue
2338 2339 return False
2339 2340
2340 2341
2341 2342 def get_cython_compat_decorator(wrapper, func):
2342 2343 """
2343 2344 Creates a cython compatible decorator. The previously used
2344 2345 decorator.decorator() function seems to be incompatible with cython.
2345 2346
2346 2347 :param wrapper: __wrapper method of the decorator class
2347 2348 :param func: decorated function
2348 2349 """
2349 2350 @wraps(func)
2350 2351 def local_wrapper(*args, **kwds):
2351 2352 return wrapper(func, *args, **kwds)
2352 2353 local_wrapper.__wrapped__ = func
2353 2354 return local_wrapper
2354 2355
2355 2356
General Comments 0
You need to be logged in to leave comments. Login now