##// END OF EJS Templates
upstream » kallithea
RSS

Clone from https://kallithea-scm.org/repos/kallithea

Change example URL
Change example URL
Bradley M. Kuhn - - Load All Authors

File last commit:

r4116:ffd45b18 rhodecode-2.2.5-gpl
r4182:05cabd91 kallithea-2.2.5-r...
Show More
auth.py
1331 lines | 47.6 KiB | text/x-python | PythonLexer
/ rhodecode / lib / auth.py
History | Source | Raw |Copy content |Copy permalink
marcink
Added some more details into user edit permissions view
 r895 # -*- coding: utf-8 -*-
marcink
fixed license issue #149
 r1206 # This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
marcink
source code cleanup: remove trailing white space, normalize file endings
 r1203 #
marcink
renamed project to rhodecode
 r547 # This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
marcink
source code cleanup: remove trailing white space, normalize file endings
 r1203 #
marcink
renamed project to rhodecode
 r547 # You should have received a copy of the GNU General Public License
marcink
fixed license issue #149
 r1206 # along with this program. If not, see <http://www.gnu.org/licenses/>.
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 """
rhodecode.lib.auth
~~~~~~~~~~~~~~~~~~
marcink
renamed project to rhodecode
 r547
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 authentication and permission libraries
:created_on: Apr 4, 2010
:author: marcink
:copyright: (c) 2013 RhodeCode GmbH.
:license: GPLv3, see LICENSE for more details.
"""
from __future__ import with_statement
import time
marcink
Added some more details into user edit permissions view
 r895 import random
import logging
import traceback
marcink
Added api_key into user, api key get's generated again after password change...
 r1116 import hashlib
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 import itertools
import collections
marcink
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"...
 r1118
marcink
Added api_key into user, api key get's generated again after password change...
 r1116 from tempfile import _RandomNameSequence
marcink
Added some more details into user edit permissions view
 r895 from decorator import decorator
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 from pylons import url, request
marcink
renamed project to rhodecode
 r547 from pylons.controllers.util import abort, redirect
marcink
#113 removed anonymous access from forking, added system messages in login box.
 r1056 from pylons.i18n.translation import _
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 from sqlalchemy import or_
marcink
IP restrictions now also enabled for IPv6
 r3212 from sqlalchemy.orm.exc import ObjectDeletedError
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 from sqlalchemy.orm import joinedload
marcink
Added some more details into user edit permissions view
 r895
marcink
Deprecated validation of operating system, we just care if it's windows, let approve all other...
 r2634 from rhodecode import __platform__, is_windows, is_unix
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 from rhodecode.lib.vcs.utils.lazy import LazyProperty
from rhodecode.model import meta
marcink
commit less models...
 r1749 from rhodecode.model.meta import Session
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 from rhodecode.model.user import UserModel
from rhodecode.model.db import User, Repository, Permission, \
UserToPerm, UserGroupRepoToPerm, UserGroupToPerm, UserGroupMember, \
RepoGroup, UserGroupRepoGroupToPerm, UserIpMap, UserGroupUserGroupToPerm, \
UserGroup, UserApiKeys
marcink
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"...
 r1118
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 from rhodecode.lib.utils2 import safe_unicode, aslist
from rhodecode.lib.utils import get_repo_slug, get_repo_group_slug, \
get_user_group_slug, conditional_cache
from rhodecode.lib.caching_query import FromCache
marcink
Added some more details into user edit permissions view
 r895
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 from beaker.cache import cache_region
marcink
Added some more details into user edit permissions view
 r895
marcink
PEP8ify
 r1246 log = logging.getLogger(__name__)
marcink
renamed project to rhodecode
 r547
class PasswordGenerator(object):
marcink
notification to commit author + gardening
 r1716 """
marcink
auto white-space removal
 r1818 This is a simple class for generating password from different sets of
marcink
notification to commit author + gardening
 r1716 characters
usage::
marcink
renamed project to rhodecode
 r547 passwd_gen = PasswordGenerator()
marcink
PEP8ify
 r1246 #print 8-letter password containing only big and small letters
of alphabet
marcink
print statement cleanup
 r2278 passwd_gen.gen_password(8, passwd_gen.ALPHABETS_BIG_SMALL)
marcink
renamed project to rhodecode
 r547 """
marcink
PEP8ify
 r1246 ALPHABETS_NUM = r'''1234567890'''
ALPHABETS_SMALL = r'''qwertyuiopasdfghjklzxcvbnm'''
ALPHABETS_BIG = r'''QWERTYUIOPASDFGHJKLZXCVBNM'''
ALPHABETS_SPECIAL = r'''`-=[]\;',./~!@#$%^&*()_+{}|:"<>?'''
ALPHABETS_FULL = ALPHABETS_BIG + ALPHABETS_SMALL \
+ ALPHABETS_NUM + ALPHABETS_SPECIAL
ALPHABETS_ALPHANUM = ALPHABETS_BIG + ALPHABETS_SMALL + ALPHABETS_NUM
marcink
renamed project to rhodecode
 r547 ALPHABETS_BIG_SMALL = ALPHABETS_BIG + ALPHABETS_SMALL
marcink
PEP8ify
 r1246 ALPHABETS_ALPHANUM_BIG = ALPHABETS_BIG + ALPHABETS_NUM
ALPHABETS_ALPHANUM_SMALL = ALPHABETS_SMALL + ALPHABETS_NUM
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def __init__(self, passwd=''):
self.passwd = passwd
marcink
added optional password type in password generator
 r1993 def gen_password(self, length, type_=None):
if type_ is None:
type_ = self.ALPHABETS_FULL
marcink
#227 Initial version of repository groups permissions system...
 r1982 self.passwd = ''.join([random.choice(type_) for _ in xrange(length)])
marcink
renamed project to rhodecode
 r547 return self.passwd
marcink
PEP8ify
 r1246
marcink
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"...
 r1118 class RhodeCodeCrypto(object):
@classmethod
def hash_string(cls, str_):
"""
Cryptographic function used for password hashing based on pybcrypt
or pycrypto in windows
marcink
source code cleanup: remove trailing white space, normalize file endings
 r1203
marcink
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"...
 r1118 :param password: password to hash
"""
marcink
Deprecated validation of operating system, we just care if it's windows, let approve all other...
 r2634 if is_windows:
marcink
Added validation into user email map
 r2479 from hashlib import sha256
marcink
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"...
 r1118 return sha256(str_).hexdigest()
marcink
Deprecated validation of operating system, we just care if it's windows, let approve all other...
 r2634 elif is_unix:
marcink
Added validation into user email map
 r2479 import bcrypt
marcink
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"...
 r1118 return bcrypt.hashpw(str_, bcrypt.gensalt(10))
else:
marcink
PEP8ify
 r1246 raise Exception('Unknown or unsupported platform %s' \
% __platform__)
marcink
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"...
 r1118
@classmethod
def hash_check(cls, password, hashed):
"""
Checks matching password with it's hashed value, runs different
implementation based on platform it runs on
marcink
source code cleanup: remove trailing white space, normalize file endings
 r1203
marcink
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"...
 r1118 :param password: password
:param hashed: password in hashed form
"""
marcink
Deprecated validation of operating system, we just care if it's windows, let approve all other...
 r2634 if is_windows:
marcink
Added validation into user email map
 r2479 from hashlib import sha256
marcink
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"...
 r1118 return sha256(password).hexdigest() == hashed
marcink
Deprecated validation of operating system, we just care if it's windows, let approve all other...
 r2634 elif is_unix:
marcink
Added validation into user email map
 r2479 import bcrypt
marcink
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"...
 r1118 return bcrypt.hashpw(password, hashed) == hashed
else:
marcink
PEP8ify
 r1246 raise Exception('Unknown or unsupported platform %s' \
% __platform__)
marcink
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"...
 r1118
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def get_crypt_password(password):
marcink
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"...
 r1118 return RhodeCodeCrypto.hash_string(password)
marcink
PEP8ify
 r1246
marcink
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"...
 r1118 def check_password(password, hashed):
return RhodeCodeCrypto.hash_check(password, hashed)
marcink
renamed project to rhodecode
 r547
marcink
#344 optional firstname lastname on user creation...
 r1950
marcink
Some code cleanups and fixes
 r1628 def generate_api_key(str_, salt=None):
"""
Generates API KEY from given string
marcink
auto white-space removal
 r1818
marcink
Some code cleanups and fixes
 r1628 :param str_:
:param salt:
"""
marcink
reduce cookie size for better support of client side sessions
 r1718
marcink
Added api_key into user, api key get's generated again after password change...
 r1116 if salt is None:
salt = _RandomNameSequence().next()
marcink
Some code cleanups and fixes
 r1628 return hashlib.sha1(str_ + salt).hexdigest()
marcink
Added api_key into user, api key get's generated again after password change...
 r1116
marcink
PEP8ify
 r1246
marcink
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability...
 r2030 class CookieStoreWrapper(object):
def __init__(self, cookie_store):
self.cookie_store = cookie_store
def __repr__(self):
return 'CookieStore<%s>' % (self.cookie_store)
def get(self, key, other=None):
if isinstance(self.cookie_store, dict):
return self.cookie_store.get(key, other)
elif isinstance(self.cookie_store, AuthUser):
return self.cookie_store.__dict__.get(key, other)
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116
def _cached_perms_data(user_id, user_is_admin, user_inherit_default_permissions,
explicit, algo):
RK = 'repositories'
GK = 'repositories_groups'
UK = 'user_groups'
GLOBAL = 'global'
PERM_WEIGHTS = Permission.PERM_WEIGHTS
permissions = {RK: {}, GK: {}, UK: {}, GLOBAL: set()}
def _choose_perm(new_perm, cur_perm):
new_perm_val = PERM_WEIGHTS[new_perm]
cur_perm_val = PERM_WEIGHTS[cur_perm]
if algo == 'higherwin':
if new_perm_val > cur_perm_val:
return new_perm
return cur_perm
elif algo == 'lowerwin':
if new_perm_val < cur_perm_val:
return new_perm
return cur_perm
#======================================================================
# fetch default permissions
#======================================================================
default_user = User.get_by_username('default', cache=True)
default_user_id = default_user.user_id
default_repo_perms = Permission.get_default_perms(default_user_id)
default_repo_groups_perms = Permission.get_default_group_perms(default_user_id)
default_user_group_perms = Permission.get_default_user_group_perms(default_user_id)
if user_is_admin:
#==================================================================
# admin user have all default rights for repositories
# and groups set to admin
#==================================================================
permissions[GLOBAL].add('hg.admin')
permissions[GLOBAL].add('hg.create.write_on_repogroup.true')
# repositories
for perm in default_repo_perms:
r_k = perm.UserRepoToPerm.repository.repo_name
p = 'repository.admin'
permissions[RK][r_k] = p
# repository groups
for perm in default_repo_groups_perms:
rg_k = perm.UserRepoGroupToPerm.group.group_name
p = 'group.admin'
permissions[GK][rg_k] = p
# user groups
for perm in default_user_group_perms:
u_k = perm.UserUserGroupToPerm.user_group.users_group_name
p = 'usergroup.admin'
permissions[UK][u_k] = p
return permissions
#==================================================================
# SET DEFAULTS GLOBAL, REPOS, REPOSITORY GROUPS
#==================================================================
uid = user_id
# default global permissions taken fron the default user
default_global_perms = UserToPerm.query()\
.filter(UserToPerm.user_id == default_user_id)\
.options(joinedload(UserToPerm.permission))
for perm in default_global_perms:
permissions[GLOBAL].add(perm.permission.permission_name)
# defaults for repositories, taken from default user
for perm in default_repo_perms:
r_k = perm.UserRepoToPerm.repository.repo_name
if perm.Repository.private and not (perm.Repository.user_id == uid):
# disable defaults for private repos,
p = 'repository.none'
elif perm.Repository.user_id == uid:
# set admin if owner
p = 'repository.admin'
else:
p = perm.Permission.permission_name
permissions[RK][r_k] = p
# defaults for repository groups taken from default user permission
# on given group
for perm in default_repo_groups_perms:
rg_k = perm.UserRepoGroupToPerm.group.group_name
p = perm.Permission.permission_name
permissions[GK][rg_k] = p
# defaults for user groups taken from default user permission
# on given user group
for perm in default_user_group_perms:
u_k = perm.UserUserGroupToPerm.user_group.users_group_name
p = perm.Permission.permission_name
permissions[UK][u_k] = p
#======================================================================
# !! OVERRIDE GLOBALS !! with user permissions if any found
#======================================================================
# those can be configured from groups or users explicitly
_configurable = set([
'hg.fork.none', 'hg.fork.repository',
'hg.create.none', 'hg.create.repository',
'hg.usergroup.create.false', 'hg.usergroup.create.true'
])
# USER GROUPS comes first
# user group global permissions
user_perms_from_users_groups = Session().query(UserGroupToPerm)\
.options(joinedload(UserGroupToPerm.permission))\
.join((UserGroupMember, UserGroupToPerm.users_group_id ==
UserGroupMember.users_group_id))\
.filter(UserGroupMember.user_id == uid)\
.order_by(UserGroupToPerm.users_group_id)\
.all()
# need to group here by groups since user can be in more than
# one group
_grouped = [[x, list(y)] for x, y in
itertools.groupby(user_perms_from_users_groups,
lambda x:x.users_group)]
for gr, perms in _grouped:
# since user can be in multiple groups iterate over them and
# select the lowest permissions first (more explicit)
##TODO: do this^^
if not gr.inherit_default_permissions:
# NEED TO IGNORE all configurable permissions and
# replace them with explicitly set
permissions[GLOBAL] = permissions[GLOBAL]\
.difference(_configurable)
for perm in perms:
permissions[GLOBAL].add(perm.permission.permission_name)
# user specific global permissions
user_perms = Session().query(UserToPerm)\
.options(joinedload(UserToPerm.permission))\
.filter(UserToPerm.user_id == uid).all()
if not user_inherit_default_permissions:
# NEED TO IGNORE all configurable permissions and
# replace them with explicitly set
permissions[GLOBAL] = permissions[GLOBAL]\
.difference(_configurable)
for perm in user_perms:
permissions[GLOBAL].add(perm.permission.permission_name)
## END GLOBAL PERMISSIONS
#======================================================================
# !! PERMISSIONS FOR REPOSITORIES !!
#======================================================================
#======================================================================
# check if user is part of user groups for this repository and
# fill in his permission from it. _choose_perm decides of which
# permission should be selected based on selected method
#======================================================================
# user group for repositories permissions
user_repo_perms_from_users_groups = \
Session().query(UserGroupRepoToPerm, Permission, Repository,)\
.join((Repository, UserGroupRepoToPerm.repository_id ==
Repository.repo_id))\
.join((Permission, UserGroupRepoToPerm.permission_id ==
Permission.permission_id))\
.join((UserGroupMember, UserGroupRepoToPerm.users_group_id ==
UserGroupMember.users_group_id))\
.filter(UserGroupMember.user_id == uid)\
.all()
multiple_counter = collections.defaultdict(int)
for perm in user_repo_perms_from_users_groups:
r_k = perm.UserGroupRepoToPerm.repository.repo_name
multiple_counter[r_k] += 1
p = perm.Permission.permission_name
cur_perm = permissions[RK][r_k]
if perm.Repository.user_id == uid:
# set admin if owner
p = 'repository.admin'
else:
if multiple_counter[r_k] > 1:
p = _choose_perm(p, cur_perm)
permissions[RK][r_k] = p
# user explicit permissions for repositories, overrides any specified
# by the group permission
user_repo_perms = Permission.get_default_perms(uid)
for perm in user_repo_perms:
r_k = perm.UserRepoToPerm.repository.repo_name
cur_perm = permissions[RK][r_k]
# set admin if owner
if perm.Repository.user_id == uid:
p = 'repository.admin'
else:
p = perm.Permission.permission_name
if not explicit:
p = _choose_perm(p, cur_perm)
permissions[RK][r_k] = p
#======================================================================
# !! PERMISSIONS FOR REPOSITORY GROUPS !!
#======================================================================
#======================================================================
# check if user is part of user groups for this repository groups and
# fill in his permission from it. _choose_perm decides of which
# permission should be selected based on selected method
#======================================================================
# user group for repo groups permissions
user_repo_group_perms_from_users_groups = \
Session().query(UserGroupRepoGroupToPerm, Permission, RepoGroup)\
.join((RepoGroup, UserGroupRepoGroupToPerm.group_id == RepoGroup.group_id))\
.join((Permission, UserGroupRepoGroupToPerm.permission_id
== Permission.permission_id))\
.join((UserGroupMember, UserGroupRepoGroupToPerm.users_group_id
== UserGroupMember.users_group_id))\
.filter(UserGroupMember.user_id == uid)\
.all()
multiple_counter = collections.defaultdict(int)
for perm in user_repo_group_perms_from_users_groups:
g_k = perm.UserGroupRepoGroupToPerm.group.group_name
multiple_counter[g_k] += 1
p = perm.Permission.permission_name
cur_perm = permissions[GK][g_k]
if multiple_counter[g_k] > 1:
p = _choose_perm(p, cur_perm)
permissions[GK][g_k] = p
# user explicit permissions for repository groups
user_repo_groups_perms = Permission.get_default_group_perms(uid)
for perm in user_repo_groups_perms:
rg_k = perm.UserRepoGroupToPerm.group.group_name
p = perm.Permission.permission_name
cur_perm = permissions[GK][rg_k]
if not explicit:
p = _choose_perm(p, cur_perm)
permissions[GK][rg_k] = p
#======================================================================
# !! PERMISSIONS FOR USER GROUPS !!
#======================================================================
# user group for user group permissions
user_group_user_groups_perms = \
Session().query(UserGroupUserGroupToPerm, Permission, UserGroup)\
.join((UserGroup, UserGroupUserGroupToPerm.target_user_group_id
== UserGroup.users_group_id))\
.join((Permission, UserGroupUserGroupToPerm.permission_id
== Permission.permission_id))\
.join((UserGroupMember, UserGroupUserGroupToPerm.user_group_id
== UserGroupMember.users_group_id))\
.filter(UserGroupMember.user_id == uid)\
.all()
multiple_counter = collections.defaultdict(int)
for perm in user_group_user_groups_perms:
g_k = perm.UserGroupUserGroupToPerm.target_user_group.users_group_name
multiple_counter[g_k] += 1
p = perm.Permission.permission_name
cur_perm = permissions[UK][g_k]
if multiple_counter[g_k] > 1:
p = _choose_perm(p, cur_perm)
permissions[UK][g_k] = p
#user explicit permission for user groups
user_user_groups_perms = Permission.get_default_user_group_perms(uid)
for perm in user_user_groups_perms:
u_k = perm.UserUserGroupToPerm.user_group.users_group_name
p = perm.Permission.permission_name
cur_perm = permissions[UK][u_k]
if not explicit:
p = _choose_perm(p, cur_perm)
permissions[UK][u_k] = p
return permissions
def allowed_api_access(controller_name, whitelist=None, api_key=None):
"""
Check if given controller_name is in whitelist API access
"""
if not whitelist:
from rhodecode import CONFIG
whitelist = aslist(CONFIG.get('api_access_controllers_whitelist'),
sep=',')
log.debug('whitelist of API access is: %s' % (whitelist))
api_access_valid = controller_name in whitelist
if api_access_valid:
log.debug('controller:%s is in API whitelist' % (controller_name))
else:
msg = 'controller: %s is *NOT* in API whitelist' % (controller_name)
if api_key:
#if we use API key and don't have access it's a warning
log.warning(msg)
else:
log.debug(msg)
return api_access_valid
class AuthUser(object):
marcink
Major rewrite of auth objects. Moved parts of filling user data into user model....
 r1117 """
A simple object that handles all attributes of user in RhodeCode
marcink
source code cleanup: remove trailing white space, normalize file endings
 r1203
marcink
Major rewrite of auth objects. Moved parts of filling user data into user model....
 r1117 It does lookup based on API key,given user, or user present in session
marcink
source code cleanup: remove trailing white space, normalize file endings
 r1203 Then it fills all required information for such user. It also checks if
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 anonymous access is enabled and if so, it returns default user as logged in
marcink
renamed project to rhodecode
 r547 """
marcink
#56 added propagation of permission from group
 r1016
marcink
Added UserIpMap interface for allowed IP addresses and IP restriction access...
 r3125 def __init__(self, user_id=None, api_key=None, username=None, ip_addr=None):
marcink
Major rewrite of auth objects. Moved parts of filling user data into user model....
 r1117
self.user_id = user_id
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 self._api_key = api_key
marcink
fixed some bugs in api key auth, added access by api key into rss/atom feeds in global journal...
 r1120 self.api_key = None
Liad Shani
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
 r1617 self.username = username
marcink
Added UserIpMap interface for allowed IP addresses and IP restriction access...
 r3125 self.ip_addr = ip_addr
marcink
renamed project to rhodecode
 r547 self.name = ''
self.lastname = ''
self.email = ''
self.is_authenticated = False
marcink
Major rewrite of auth objects. Moved parts of filling user data into user model....
 r1117 self.admin = False
marcink
fixed error when disabled anonymous access lead to error on server
 r2714 self.inherit_default_permissions = False
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116
marcink
Major rewrite of auth objects. Moved parts of filling user data into user model....
 r1117 self.propagate_data()
marcink
#344 optional firstname lastname on user creation...
 r1950 self._instance = None
marcink
Major rewrite of auth objects. Moved parts of filling user data into user model....
 r1117
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 @LazyProperty
def permissions(self):
return self.get_perms(user=self, cache=False)
@property
def api_keys(self):
return self.get_api_keys()
marcink
Major rewrite of auth objects. Moved parts of filling user data into user model....
 r1117 def propagate_data(self):
user_model = UserModel()
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 self.anonymous_user = User.get_default_user(cache=True)
Liad Shani
Added container-based authentication support
 r1613 is_user_loaded = False
marcink
reduce cookie size for better support of client side sessions
 r1718
marcink
auto white-space removal
 r1818 # lookup by userid
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 if self.user_id is not None and self.user_id != self.anonymous_user.user_id:
marcink
garden...
 r1976 log.debug('Auth User lookup by USER ID %s' % self.user_id)
Liad Shani
Added automatic logout of deactivated/deleted users
 r1618 is_user_loaded = user_model.fill_data(self, user_id=self.user_id)
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116
# try go get user by api key
elif self._api_key and self._api_key != self.anonymous_user.api_key:
log.debug('Auth User lookup by API KEY %s' % self._api_key)
is_user_loaded = user_model.fill_data(self, api_key=self._api_key)
marcink
fix issue #323 auth by suername only if container auth is enabled
 r1808 # lookup by username
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 elif self.username:
marcink
garden...
 r1976 log.debug('Auth User lookup by USER NAME %s' % self.username)
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 is_user_loaded = user_model.fill_data(self, username=self.username)
marcink
fixed issue with sessions that lead to redirection loops
 r2045 else:
log.debug('No data in %s that could been used to log in' % self)
Liad Shani
Added container-based authentication support
 r1613
if not is_user_loaded:
marcink
Some code cleanups and fixes
 r1628 # if we cannot authenticate user try anonymous
Mads Kiilerich
follow Python conventions for boolean values...
 r3625 if self.anonymous_user.active:
marcink
reduce cookie size for better support of client side sessions
 r1718 user_model.fill_data(self, user_id=self.anonymous_user.user_id)
marcink
Some code cleanups and fixes
 r1628 # then we set this user is logged in
Liad Shani
Added container-based authentication support
 r1613 self.is_authenticated = True
marcink
Major rewrite of auth objects. Moved parts of filling user data into user model....
 r1117 else:
Liad Shani
Added automatic logout of deactivated/deleted users
 r1618 self.user_id = None
self.username = None
Liad Shani
Added container-based authentication support
 r1613 self.is_authenticated = False
marcink
Major rewrite of auth objects. Moved parts of filling user data into user model....
 r1117
Liad Shani
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
 r1617 if not self.username:
self.username = 'None'
marcink
garden...
 r1976 log.debug('Auth User is now %s' % self)
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116
def get_perms(self, user, explicit=True, algo='higherwin', cache=False):
"""
Fills user permission attribute with permissions taken from database
works for permissions given for repositories, and for permissions that
are granted to groups
:param user: instance of User object from database
:param explicit: In case there are permissions both for user and a group
that user is part of, explicit flag will defiine if user will
explicitly override permissions from group, if it's False it will
make decision based on the algo
:param algo: algorithm to decide what permission should be choose if
it's multiple defined, eg user in two different groups. It also
decides if explicit flag is turned off how to specify the permission
for case when user is in a group + have defined separate permission
"""
user_id = user.user_id
user_is_admin = user.is_admin
user_inherit_default_permissions = user.inherit_default_permissions
log.debug('Getting PERMISSION tree')
compute = conditional_cache('short_term', 'cache_desc',
condition=cache, func=_cached_perms_data)
return compute(user_id, user_is_admin,
user_inherit_default_permissions, explicit, algo)
def get_api_keys(self):
api_keys = [self.api_key]
for api_key in UserApiKeys.query()\
.filter(UserApiKeys.user_id == self.user_id)\
.filter(or_(UserApiKeys.expires == -1,
UserApiKeys.expires >= time.time())).all():
api_keys.append(api_key.api_key)
return api_keys
marcink
Major rewrite of auth objects. Moved parts of filling user data into user model....
 r1117
@property
def is_admin(self):
return self.admin
marcink
renamed project to rhodecode
 r547
marcink
Full IP restrictions enabled...
 r3146 @property
marcink
show admin menu and list for users who are admins of repos....
 r3865 def repositories_admin(self):
marcink
Show admin dropdown for users who are admin of repo groups
 r3371 """
Returns list of repositories you're an admin of
"""
return [x[0] for x in self.permissions['repositories'].iteritems()
if x[1] == 'repository.admin']
@property
marcink
- Manage User’s Groups: create, delete, rename, add/remove users inside....
 r3714 def repository_groups_admin(self):
marcink
Show admin dropdown for users who are admin of repo groups
 r3371 """
marcink
fixed tests and missing replacements from 5f1850e4712a
 r3415 Returns list of repository groups you're an admin of
marcink
Show admin dropdown for users who are admin of repo groups
 r3371 """
return [x[0] for x in self.permissions['repositories_groups'].iteritems()
if x[1] == 'group.admin']
@property
marcink
- Manage User’s Groups: create, delete, rename, add/remove users inside....
 r3714 def user_groups_admin(self):
"""
Returns list of user groups you're an admin of
"""
return [x[0] for x in self.permissions['user_groups'].iteritems()
if x[1] == 'usergroup.admin']
@property
marcink
Full IP restrictions enabled...
 r3146 def ip_allowed(self):
"""
Checks if ip_addr used in constructor is allowed from defined list of
allowed ip_addresses for user
:returns: boolean, True if ip is in allowed ip range
"""
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 # check IP
inherit = self.inherit_default_permissions
return AuthUser.check_ip_allowed(self.user_id, self.ip_addr,
inherit_from_default=inherit)
@classmethod
def check_ip_allowed(cls, user_id, ip_addr, inherit_from_default):
allowed_ips = AuthUser.get_allowed_ips(user_id, cache=True,
inherit_from_default=inherit_from_default)
if check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips):
log.debug('IP:%s is in range of %s' % (ip_addr, allowed_ips))
marcink
Full IP restrictions enabled...
 r3146 return True
else:
log.info('Access for IP:%s forbidden, '
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 'not in %s' % (ip_addr, allowed_ips))
marcink
Full IP restrictions enabled...
 r3146 return False
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673 def __repr__(self):
marcink
added more info into __repr__ of auth user for better debugging and logging
 r3903 return "<AuthUser('id:%s[%s] ip:%s auth:%s')>"\
% (self.user_id, self.username, self.ip_addr, self.is_authenticated)
marcink
Major rewrite of auth objects. Moved parts of filling user data into user model....
 r1117
def set_authenticated(self, authenticated=True):
if self.user_id != self.anonymous_user.user_id:
self.is_authenticated = authenticated
marcink
reduce cookie size for better support of client side sessions
 r1718 def get_cookie_store(self):
marcink
#344 optional firstname lastname on user creation...
 r1950 return {'username': self.username,
marcink
reduce cookie size for better support of client side sessions
 r1718 'user_id': self.user_id,
marcink
#344 optional firstname lastname on user creation...
 r1950 'is_authenticated': self.is_authenticated}
marcink
reduce cookie size for better support of client side sessions
 r1718
@classmethod
def from_cookie_store(cls, cookie_store):
marcink
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability...
 r2030 """
Creates AuthUser from a cookie store
:param cls:
:param cookie_store:
"""
marcink
reduce cookie size for better support of client side sessions
 r1718 user_id = cookie_store.get('user_id')
username = cookie_store.get('username')
api_key = cookie_store.get('api_key')
return AuthUser(user_id, api_key, username)
marcink
renamed project to rhodecode
 r547
marcink
Added UserIpMap interface for allowed IP addresses and IP restriction access...
 r3125 @classmethod
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 def get_allowed_ips(cls, user_id, cache=False, inherit_from_default=False):
marcink
Added UserIpMap interface for allowed IP addresses and IP restriction access...
 r3125 _set = set()
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116
if inherit_from_default:
default_ips = UserIpMap.query().filter(UserIpMap.user ==
User.get_default_user(cache=True))
if cache:
default_ips = default_ips.options(FromCache("sql_cache_short",
"get_user_ips_default"))
# populate from default user
for ip in default_ips:
try:
_set.add(ip.ip_addr)
except ObjectDeletedError:
# since we use heavy caching sometimes it happens that we get
# deleted objects here, we just skip them
pass
marcink
Full IP restrictions enabled...
 r3146 user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id)
if cache:
user_ips = user_ips.options(FromCache("sql_cache_short",
"get_user_ips_%s" % user_id))
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116
marcink
Added UserIpMap interface for allowed IP addresses and IP restriction access...
 r3125 for ip in user_ips:
marcink
IP restrictions now also enabled for IPv6
 r3212 try:
_set.add(ip.ip_addr)
except ObjectDeletedError:
# since we use heavy caching sometimes it happens that we get
# deleted objects here, we just skip them
pass
return _set or set(['0.0.0.0/0', '::/0'])
marcink
Added UserIpMap interface for allowed IP addresses and IP restriction access...
 r3125
marcink
#344 optional firstname lastname on user creation...
 r1950
marcink
renamed project to rhodecode
 r547 def set_available_permissions(config):
marcink
Some code cleanups and fixes
 r1628 """
This function will propagate pylons globals with all available defined
marcink
source code cleanup: remove trailing white space, normalize file endings
 r1203 permission given in db. We don't want to check each time from db for new
marcink
renamed project to rhodecode
 r547 permissions since adding a new permission also requires application restart
ie. to decorate new views with the newly created permission
marcink
source code cleanup: remove trailing white space, normalize file endings
 r1203
marcink
Added some more details into user edit permissions view
 r895 :param config: current pylons config instance
marcink
source code cleanup: remove trailing white space, normalize file endings
 r1203
marcink
renamed project to rhodecode
 r547 """
log.info('getting information about all available permissions')
try:
marcink
commit less models...
 r1749 sa = meta.Session
marcink
renamed project to rhodecode
 r547 all_perms = sa.query(Permission).all()
marcink
fixed edge case when connection to db fails and code reaches state of variable referenced before assignment
 r4015 config['available_permissions'] = [x.permission_name for x in all_perms]
marcink
#344 optional firstname lastname on user creation...
 r1950 except Exception:
marcink
fixed edge case when connection to db fails and code reaches state of variable referenced before assignment
 r4015 log.error(traceback.format_exc())
marcink
renamed project to rhodecode
 r547 finally:
meta.Session.remove()
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
PEP8ify
 r1246
#==============================================================================
marcink
renamed project to rhodecode
 r547 # CHECK DECORATORS
marcink
PEP8ify
 r1246 #==============================================================================
marcink
renamed project to rhodecode
 r547 class LoginRequired(object):
marcink
Major rewrite of auth objects. Moved parts of filling user data into user model....
 r1117 """
marcink
source code cleanup: remove trailing white space, normalize file endings
 r1203 Must be logged in to execute this function else
marcink
Major rewrite of auth objects. Moved parts of filling user data into user model....
 r1117 redirect to login page
marcink
source code cleanup: remove trailing white space, normalize file endings
 r1203
marcink
Major rewrite of auth objects. Moved parts of filling user data into user model....
 r1117 :param api_access: if enabled this checks only for valid auth token
and grants access based on valid token
"""
def __init__(self, api_access=False):
self.api_access = api_access
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def __call__(self, func):
return decorator(self.__wrapper, func)
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def __wrapper(self, func, *fargs, **fkwargs):
marcink
Major rewrite of auth objects. Moved parts of filling user data into user model....
 r1117 cls = fargs[0]
user = cls.rhodecode_user
marcink
Full IP restrictions enabled...
 r3146 loc = "%s:%s" % (cls.__class__.__name__, func.__name__)
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116
# check if our IP is allowed
ip_access_valid = True
marcink
Full IP restrictions enabled...
 r3146 if not user.ip_allowed:
from rhodecode.lib import helpers as h
h.flash(h.literal(_('IP %s not allowed' % (user.ip_addr))),
category='warning')
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 ip_access_valid = False
marcink
Major rewrite of auth objects. Moved parts of filling user data into user model....
 r1117
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 # check if we used an APIKEY and it's a valid one
# defined whitelist of controllers which API access will be enabled
_api_key = request.GET.get('api_key', '')
api_access_valid = allowed_api_access(loc, api_key=_api_key)
# explicit controller is enabled or API is in our whitelist
if self.api_access or api_access_valid:
marcink
garden...
 r1976 log.debug('Checking API KEY access for %s' % cls)
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 if _api_key and _api_key in user.api_keys:
api_access_valid = True
log.debug('API KEY ****%s is VALID' % _api_key[-4:])
marcink
Major rewrite of auth objects. Moved parts of filling user data into user model....
 r1117 else:
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 api_access_valid = False
if not _api_key:
log.debug("API KEY *NOT* present in request")
else:
log.warn("API KEY ****%s *NOT* valid" % _api_key[-4:])
marcink
Full IP restrictions enabled...
 r3146
marcink
more work on improving info logging
 r2025 log.debug('Checking if %s is authenticated @ %s' % (user.username, loc))
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 reason = 'RegularAuth' if user.is_authenticated else 'APIAuth'
if ip_access_valid and (user.is_authenticated or api_access_valid):
log.info('user %s authenticating with:%s IS authenticated on func %s '
% (user, reason, loc)
marcink
more work on improving info logging
 r2025 )
marcink
renamed project to rhodecode
 r547 return func(*fargs, **fkwargs)
else:
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 log.warn('user %s authenticating with:%s NOT authenticated on func: %s: '
'IP_ACCESS:%s API_ACCESS:%s'
% (user, reason, loc, ip_access_valid, api_access_valid)
marcink
more work on improving info logging
 r2025 )
marcink
changed the way of generating url for came_from
 r1207 p = url.current()
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
garden...
 r1976 log.debug('redirecting to login page with %s' % p)
marcink
renamed project to rhodecode
 r547 return redirect(url('login_home', came_from=p))
marcink
PEP8ify
 r1246
marcink
Added isanonymous decorator for checking permissions for anonymous access
 r779 class NotAnonymous(object):
marcink
notification to commit author + gardening
 r1716 """
Must be logged in to execute this function else
marcink
Added isanonymous decorator for checking permissions for anonymous access
 r779 redirect to login page"""
def __call__(self, func):
return decorator(self.__wrapper, func)
def __wrapper(self, func, *fargs, **fkwargs):
marcink
Major rewrite of auth objects. Moved parts of filling user data into user model....
 r1117 cls = fargs[0]
self.user = cls.rhodecode_user
marcink
Added isanonymous decorator for checking permissions for anonymous access
 r779
marcink
garden...
 r1976 log.debug('Checking if user is not anonymous @%s' % cls)
marcink
Major rewrite of auth objects. Moved parts of filling user data into user model....
 r1117
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 anonymous = self.user.username == User.DEFAULT_USER
marcink
Added isanonymous decorator for checking permissions for anonymous access
 r779
if anonymous:
marcink
fixed redirection link in notAnonymous decorator
 r1335 p = url.current()
marcink
#113 removed anonymous access from forking, added system messages in login box.
 r1056
import rhodecode.lib.helpers as h
marcink
PEP8ify
 r1246 h.flash(_('You need to be a registered user to '
'perform this action'),
marcink
#113 removed anonymous access from forking, added system messages in login box.
 r1056 category='warning')
marcink
Added isanonymous decorator for checking permissions for anonymous access
 r779 return redirect(url('login_home', came_from=p))
else:
return func(*fargs, **fkwargs)
marcink
PEP8ify
 r1246
marcink
renamed project to rhodecode
 r547 class PermsDecorator(object):
marcink
Major rewrite of auth objects. Moved parts of filling user data into user model....
 r1117 """Base class for controller decorators"""
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def __init__(self, *required_perms):
self.required_perms = set(required_perms)
self.user_perms = None
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def __call__(self, func):
return decorator(self.__wrapper, func)
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def __wrapper(self, func, *fargs, **fkwargs):
marcink
Major rewrite of auth objects. Moved parts of filling user data into user model....
 r1117 cls = fargs[0]
self.user = cls.rhodecode_user
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673 self.user_perms = self.user.permissions
log.debug('checking %s permissions %s for %s %s',
marcink
more detailed logging on auth system...
 r2125 self.__class__.__name__, self.required_perms, cls, self.user)
marcink
renamed project to rhodecode
 r547
if self.check_permissions():
marcink
garden...
 r1976 log.debug('Permission granted for %s %s' % (cls, self.user))
marcink
renamed project to rhodecode
 r547 return func(*fargs, **fkwargs)
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 else:
marcink
more work on improving info logging
 r2025 log.debug('Permission denied for %s %s' % (cls, self.user))
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 anonymous = self.user.username == User.DEFAULT_USER
marcink
Do a redirect to login for anonymous users
 r1336
if anonymous:
p = url.current()
import rhodecode.lib.helpers as h
h.flash(_('You need to be a signed in to '
'view this page'),
category='warning')
return redirect(url('login_home', came_from=p))
else:
marcink
Some code cleanups and fixes
 r1628 # redirect with forbidden ret code
marcink
Do a redirect to login for anonymous users
 r1336 return abort(403)
marcink
renamed project to rhodecode
 r547
def check_permissions(self):
"""Dummy function for overriding"""
raise Exception('You have to write this function in child class')
marcink
PEP8ify
 r1246
marcink
renamed project to rhodecode
 r547 class HasPermissionAllDecorator(PermsDecorator):
marcink
notification to commit author + gardening
 r1716 """
Checks for access permission for all given predicates. All of them
marcink
renamed project to rhodecode
 r547 have to be meet in order to fulfill the request
"""
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def check_permissions(self):
if self.required_perms.issubset(self.user_perms.get('global')):
return True
return False
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547
class HasPermissionAnyDecorator(PermsDecorator):
marcink
notification to commit author + gardening
 r1716 """
Checks for access permission for any of given predicates. In order to
marcink
renamed project to rhodecode
 r547 fulfill the request any of predicates must be meet
"""
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def check_permissions(self):
if self.required_perms.intersection(self.user_perms.get('global')):
return True
return False
marcink
PEP8ify
 r1246
marcink
renamed project to rhodecode
 r547 class HasRepoPermissionAllDecorator(PermsDecorator):
marcink
notification to commit author + gardening
 r1716 """
Checks for access permission for all given predicates for specific
marcink
renamed project to rhodecode
 r547 repository. All of them have to be meet in order to fulfill the request
"""
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def check_permissions(self):
repo_name = get_repo_slug(request)
try:
user_perms = set([self.user_perms['repositories'][repo_name]])
except KeyError:
return False
if self.required_perms.issubset(user_perms):
return True
return False
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547
class HasRepoPermissionAnyDecorator(PermsDecorator):
marcink
notification to commit author + gardening
 r1716 """
Checks for access permission for any of given predicates for specific
marcink
renamed project to rhodecode
 r547 repository. In order to fulfill the request any of predicates must be meet
"""
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def check_permissions(self):
repo_name = get_repo_slug(request)
try:
user_perms = set([self.user_perms['repositories'][repo_name]])
except KeyError:
return False
marcink
more detailed logging on auth system...
 r2125
marcink
renamed project to rhodecode
 r547 if self.required_perms.intersection(user_perms):
return True
return False
marcink
PEP8ify
 r1246
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 class HasRepoGroupPermissionAllDecorator(PermsDecorator):
marcink
#227 Initial version of repository groups permissions system...
 r1982 """
Checks for access permission for all given predicates for specific
marcink
- Manage User’s Groups: create, delete, rename, add/remove users inside....
 r3714 repository group. All of them have to be meet in order to fulfill the request
marcink
#227 Initial version of repository groups permissions system...
 r1982 """
def check_permissions(self):
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 group_name = get_repo_group_slug(request)
marcink
#227 Initial version of repository groups permissions system...
 r1982 try:
user_perms = set([self.user_perms['repositories_groups'][group_name]])
except KeyError:
return False
marcink
Group management delegation:...
 r3222
marcink
#227 Initial version of repository groups permissions system...
 r1982 if self.required_perms.issubset(user_perms):
return True
return False
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 class HasRepoGroupPermissionAnyDecorator(PermsDecorator):
marcink
#227 Initial version of repository groups permissions system...
 r1982 """
Checks for access permission for any of given predicates for specific
marcink
- Manage User’s Groups: create, delete, rename, add/remove users inside....
 r3714 repository group. In order to fulfill the request any of predicates must be meet
marcink
#227 Initial version of repository groups permissions system...
 r1982 """
def check_permissions(self):
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 group_name = get_repo_group_slug(request)
marcink
#227 Initial version of repository groups permissions system...
 r1982 try:
user_perms = set([self.user_perms['repositories_groups'][group_name]])
except KeyError:
return False
marcink
Group management delegation:...
 r3222
marcink
#227 Initial version of repository groups permissions system...
 r1982 if self.required_perms.intersection(user_perms):
return True
return False
marcink
- Manage User’s Groups: create, delete, rename, add/remove users inside....
 r3714 class HasUserGroupPermissionAllDecorator(PermsDecorator):
"""
Checks for access permission for all given predicates for specific
user group. All of them have to be meet in order to fulfill the request
"""
def check_permissions(self):
group_name = get_user_group_slug(request)
try:
user_perms = set([self.user_perms['user_groups'][group_name]])
except KeyError:
return False
if self.required_perms.issubset(user_perms):
return True
return False
class HasUserGroupPermissionAnyDecorator(PermsDecorator):
"""
Checks for access permission for any of given predicates for specific
user group. In order to fulfill the request any of predicates must be meet
"""
def check_permissions(self):
group_name = get_user_group_slug(request)
try:
user_perms = set([self.user_perms['user_groups'][group_name]])
except KeyError:
return False
if self.required_perms.intersection(user_perms):
return True
return False
marcink
PEP8ify
 r1246 #==============================================================================
marcink
renamed project to rhodecode
 r547 # CHECK FUNCTIONS
marcink
PEP8ify
 r1246 #==============================================================================
marcink
renamed project to rhodecode
 r547 class PermsFunction(object):
"""Base function for other check functions"""
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def __init__(self, *perms):
self.required_perms = set(perms)
self.user_perms = None
self.repo_name = None
marcink
more detailed logging on auth system...
 r2125 self.group_name = None
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 def __call__(self, check_location='', user=None):
if not user:
#TODO: remove this someday,put as user as attribute here
user = request.user
# init auth user if not already given
if not isinstance(user, AuthUser):
user = AuthUser(user.user_id)
marcink
more detailed logging on auth system...
 r2125 cls_name = self.__class__.__name__
check_scope = {
'HasPermissionAll': '',
'HasPermissionAny': '',
'HasRepoPermissionAll': 'repo:%s' % self.repo_name,
'HasRepoPermissionAny': 'repo:%s' % self.repo_name,
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 'HasRepoGroupPermissionAll': 'group:%s' % self.group_name,
'HasRepoGroupPermissionAny': 'group:%s' % self.group_name,
marcink
more detailed logging on auth system...
 r2125 }.get(cls_name, '?')
log.debug('checking cls:%s %s usr:%s %s @ %s', cls_name,
self.required_perms, user, check_scope,
marcink
refactor check_Location => check_location
 r3313 check_location or 'unspecified location')
marcink
renamed project to rhodecode
 r547 if not user:
marcink
fixed issue with sessions that lead to redirection loops
 r2045 log.debug('Empty request user')
marcink
renamed project to rhodecode
 r547 return False
self.user_perms = user.permissions
if self.check_permissions():
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 log.debug('Permission to %s granted for user: %s @ %s'
% (check_scope, user,
check_location or 'unspecified location'))
marcink
renamed project to rhodecode
 r547 return True
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 else:
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 log.debug('Permission to %s denied for user: %s @ %s'
% (check_scope, user,
check_location or 'unspecified location'))
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673 return False
marcink
renamed project to rhodecode
 r547 def check_permissions(self):
"""Dummy function for overriding"""
raise Exception('You have to write this function in child class')
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
PEP8ify
 r1246
marcink
renamed project to rhodecode
 r547 class HasPermissionAll(PermsFunction):
def check_permissions(self):
if self.required_perms.issubset(self.user_perms.get('global')):
return True
return False
marcink
PEP8ify
 r1246
marcink
renamed project to rhodecode
 r547 class HasPermissionAny(PermsFunction):
def check_permissions(self):
if self.required_perms.intersection(self.user_perms.get('global')):
return True
return False
marcink
PEP8ify
 r1246
marcink
renamed project to rhodecode
 r547 class HasRepoPermissionAll(PermsFunction):
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 def __call__(self, repo_name=None, check_location='', user=None):
marcink
renamed project to rhodecode
 r547 self.repo_name = repo_name
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 return super(HasRepoPermissionAll, self).__call__(check_location, user)
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def check_permissions(self):
if not self.repo_name:
self.repo_name = get_repo_slug(request)
try:
marcink
more detailed logging on auth system...
 r2125 self._user_perms = set(
marcink
#227 Initial version of repository groups permissions system...
 r1982 [self.user_perms['repositories'][self.repo_name]]
)
marcink
renamed project to rhodecode
 r547 except KeyError:
return False
marcink
more detailed logging on auth system...
 r2125 if self.required_perms.issubset(self._user_perms):
marcink
renamed project to rhodecode
 r547 return True
return False
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
PEP8ify
 r1246
marcink
renamed project to rhodecode
 r547 class HasRepoPermissionAny(PermsFunction):
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 def __call__(self, repo_name=None, check_location='', user=None):
marcink
renamed project to rhodecode
 r547 self.repo_name = repo_name
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 return super(HasRepoPermissionAny, self).__call__(check_location, user)
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def check_permissions(self):
if not self.repo_name:
self.repo_name = get_repo_slug(request)
try:
marcink
more detailed logging on auth system...
 r2125 self._user_perms = set(
marcink
#227 Initial version of repository groups permissions system...
 r1982 [self.user_perms['repositories'][self.repo_name]]
)
marcink
renamed project to rhodecode
 r547 except KeyError:
return False
marcink
more detailed logging on auth system...
 r2125 if self.required_perms.intersection(self._user_perms):
marcink
renamed project to rhodecode
 r547 return True
return False
marcink
PEP8ify
 r1246
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 class HasRepoGroupPermissionAny(PermsFunction):
def __call__(self, group_name=None, check_location='', user=None):
marcink
#227 Initial version of repository groups permissions system...
 r1982 self.group_name = group_name
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 return super(HasRepoGroupPermissionAny, self).__call__(check_location, user)
marcink
#227 Initial version of repository groups permissions system...
 r1982
def check_permissions(self):
try:
marcink
more detailed logging on auth system...
 r2125 self._user_perms = set(
marcink
#227 Initial version of repository groups permissions system...
 r1982 [self.user_perms['repositories_groups'][self.group_name]]
)
except KeyError:
return False
marcink
more detailed logging on auth system...
 r2125 if self.required_perms.intersection(self._user_perms):
marcink
#227 Initial version of repository groups permissions system...
 r1982 return True
return False
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 class HasRepoGroupPermissionAll(PermsFunction):
def __call__(self, group_name=None, check_location='', user=None):
marcink
#227 Initial version of repository groups permissions system...
 r1982 self.group_name = group_name
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 return super(HasRepoGroupPermissionAll, self).__call__(check_location, user)
marcink
#227 Initial version of repository groups permissions system...
 r1982
def check_permissions(self):
try:
marcink
more detailed logging on auth system...
 r2125 self._user_perms = set(
marcink
#227 Initial version of repository groups permissions system...
 r1982 [self.user_perms['repositories_groups'][self.group_name]]
)
except KeyError:
return False
marcink
more detailed logging on auth system...
 r2125 if self.required_perms.issubset(self._user_perms):
marcink
#227 Initial version of repository groups permissions system...
 r1982 return True
return False
marcink
- Manage User’s Groups: create, delete, rename, add/remove users inside....
 r3714 class HasUserGroupPermissionAny(PermsFunction):
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 def __call__(self, user_group_name=None, check_location='', user=None):
marcink
- Manage User’s Groups: create, delete, rename, add/remove users inside....
 r3714 self.user_group_name = user_group_name
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 return super(HasUserGroupPermissionAny, self).__call__(check_location, user)
marcink
- Manage User’s Groups: create, delete, rename, add/remove users inside....
 r3714
def check_permissions(self):
try:
self._user_perms = set(
[self.user_perms['user_groups'][self.user_group_name]]
)
except KeyError:
return False
if self.required_perms.intersection(self._user_perms):
return True
return False
class HasUserGroupPermissionAll(PermsFunction):
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 def __call__(self, user_group_name=None, check_location='', user=None):
marcink
- Manage User’s Groups: create, delete, rename, add/remove users inside....
 r3714 self.user_group_name = user_group_name
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 return super(HasUserGroupPermissionAll, self).__call__(check_location, user)
marcink
- Manage User’s Groups: create, delete, rename, add/remove users inside....
 r3714
def check_permissions(self):
try:
self._user_perms = set(
[self.user_perms['user_groups'][self.user_group_name]]
)
except KeyError:
return False
if self.required_perms.issubset(self._user_perms):
return True
return False
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116
marcink
PEP8ify
 r1246 #==============================================================================
marcink
renamed project to rhodecode
 r547 # SPECIAL VERSION TO HANDLE MIDDLEWARE AUTH
marcink
PEP8ify
 r1246 #==============================================================================
marcink
renamed project to rhodecode
 r547 class HasPermissionAnyMiddleware(object):
def __init__(self, *perms):
self.required_perms = set(perms)
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def __call__(self, user, repo_name):
marcink
fixed some unicode problems with waitress...
 r2100 # repo_name MUST be unicode, since we handle keys in permission
# dict by unicode
repo_name = safe_unicode(repo_name)
marcink
Major rewrite of auth objects. Moved parts of filling user data into user model....
 r1117 usr = AuthUser(user.user_id)
marcink
renamed project to rhodecode
 r547 try:
marcink
Major rewrite of auth objects. Moved parts of filling user data into user model....
 r1117 self.user_perms = set([usr.permissions['repositories'][repo_name]])
marcink
fixed some unicode problems with waitress...
 r2100 except Exception:
marcink
utils/conf...
 r2109 log.error('Exception while accessing permissions %s' %
marcink
fixed some unicode problems with waitress...
 r2100 traceback.format_exc())
marcink
renamed project to rhodecode
 r547 self.user_perms = set()
self.username = user.username
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673 self.repo_name = repo_name
marcink
renamed project to rhodecode
 r547 return self.check_permissions()
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def check_permissions(self):
marcink
Implemented basic locking functionality....
 r2726 log.debug('checking VCS protocol '
marcink
fixes fixes fixes ! optimized queries on journal...
 r1040 'permissions %s for user:%s repository:%s', self.user_perms,
marcink
renamed project to rhodecode
 r547 self.username, self.repo_name)
if self.required_perms.intersection(self.user_perms):
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 log.debug('Permission to repo: %s granted for user: %s @ %s'
% (self.repo_name, self.username, 'PermissionMiddleware'))
marcink
renamed project to rhodecode
 r547 return True
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 log.debug('Permission to repo: %s denied for user: %s @ %s'
% (self.repo_name, self.username, 'PermissionMiddleware'))
marcink
renamed project to rhodecode
 r547 return False
marcink
Added UserIpMap interface for allowed IP addresses and IP restriction access...
 r3125
marcink
Implemented API calls for non-admin users for locking/unlocking repositories
 r3161 #==============================================================================
# SPECIAL VERSION TO HANDLE API AUTH
#==============================================================================
class _BaseApiPerm(object):
def __init__(self, *perms):
self.required_perms = set(perms)
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 def __call__(self, check_location=None, user=None, repo_name=None,
group_name=None):
marcink
Implemented API calls for non-admin users for locking/unlocking repositories
 r3161 cls_name = self.__class__.__name__
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 check_scope = 'user:%s' % (user)
if repo_name:
check_scope += ', repo:%s' % (repo_name)
if group_name:
check_scope += ', repo group:%s' % (group_name)
log.debug('checking cls:%s %s %s @ %s'
% (cls_name, self.required_perms, check_scope, check_location))
marcink
Implemented API calls for non-admin users for locking/unlocking repositories
 r3161 if not user:
log.debug('Empty User passed into arguments')
return False
## process user
if not isinstance(user, AuthUser):
user = AuthUser(user.user_id)
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 if not check_location:
check_location = 'unspecified'
if self.check_permissions(user.permissions, repo_name, group_name):
log.debug('Permission to %s granted for user: %s @ %s'
% (check_scope, user, check_location))
marcink
Implemented API calls for non-admin users for locking/unlocking repositories
 r3161 return True
else:
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 log.debug('Permission to %s denied for user: %s @ %s'
% (check_scope, user, check_location))
marcink
Implemented API calls for non-admin users for locking/unlocking repositories
 r3161 return False
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 def check_permissions(self, perm_defs, repo_name=None, group_name=None):
marcink
Implemented API calls for non-admin users for locking/unlocking repositories
 r3161 """
implement in child class should return True if permissions are ok,
False otherwise
:param perm_defs: dict with permission definitions
:param repo_name: repo name
"""
raise NotImplementedError()
class HasPermissionAllApi(_BaseApiPerm):
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 def check_permissions(self, perm_defs, repo_name=None, group_name=None):
marcink
Implemented API calls for non-admin users for locking/unlocking repositories
 r3161 if self.required_perms.issubset(perm_defs.get('global')):
return True
return False
class HasPermissionAnyApi(_BaseApiPerm):
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 def check_permissions(self, perm_defs, repo_name=None, group_name=None):
marcink
Implemented API calls for non-admin users for locking/unlocking repositories
 r3161 if self.required_perms.intersection(perm_defs.get('global')):
return True
return False
class HasRepoPermissionAllApi(_BaseApiPerm):
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 def check_permissions(self, perm_defs, repo_name=None, group_name=None):
marcink
Implemented API calls for non-admin users for locking/unlocking repositories
 r3161 try:
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 _user_perms = set([perm_defs['repositories'][repo_name]])
marcink
Implemented API calls for non-admin users for locking/unlocking repositories
 r3161 except KeyError:
log.warning(traceback.format_exc())
return False
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 if self.required_perms.issubset(_user_perms):
marcink
Implemented API calls for non-admin users for locking/unlocking repositories
 r3161 return True
return False
class HasRepoPermissionAnyApi(_BaseApiPerm):
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 def check_permissions(self, perm_defs, repo_name=None, group_name=None):
marcink
Implemented API calls for non-admin users for locking/unlocking repositories
 r3161 try:
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 _user_perms = set([perm_defs['repositories'][repo_name]])
marcink
Implemented API calls for non-admin users for locking/unlocking repositories
 r3161 except KeyError:
log.warning(traceback.format_exc())
return False
if self.required_perms.intersection(_user_perms):
return True
return False
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 class HasRepoGroupPermissionAnyApi(_BaseApiPerm):
def check_permissions(self, perm_defs, repo_name=None, group_name=None):
try:
_user_perms = set([perm_defs['repositories_groups'][group_name]])
except KeyError:
log.warning(traceback.format_exc())
return False
if self.required_perms.intersection(_user_perms):
return True
return False
class HasRepoGroupPermissionAllApi(_BaseApiPerm):
def check_permissions(self, perm_defs, repo_name=None, group_name=None):
try:
_user_perms = set([perm_defs['repositories_groups'][group_name]])
except KeyError:
log.warning(traceback.format_exc())
return False
if self.required_perms.issubset(_user_perms):
return True
return False
marcink
Added UserIpMap interface for allowed IP addresses and IP restriction access...
 r3125 def check_ip_access(source_ip, allowed_ips=None):
"""
Checks if source_ip is a subnet of any of allowed_ips.
:param source_ip:
:param allowed_ips: list of allowed ips together with mask
"""
from rhodecode.lib import ipaddr
log.debug('checking if ip:%s is subnet of %s' % (source_ip, allowed_ips))
if isinstance(allowed_ips, (tuple, list, set)):
for ip in allowed_ips:
marcink
IP restrictions now also enabled for IPv6
 r3212 try:
if ipaddr.IPAddress(source_ip) in ipaddr.IPNetwork(ip):
Bradley M. Kuhn
Imported some of the GPLv3'd changes from RhodeCode v2.2.5....
 r4116 log.debug('IP %s is network %s' %
(ipaddr.IPAddress(source_ip), ipaddr.IPNetwork(ip)))
marcink
IP restrictions now also enabled for IPv6
 r3212 return True
# for any case we cannot determine the IP, don't crash just
# skip it and log as error, we want to say forbidden still when
# sending bad IP
except Exception:
log.error(traceback.format_exc())
continue
marcink
Added UserIpMap interface for allowed IP addresses and IP restriction access...
 r3125 return False