auth.py
677 lines
| 22.8 KiB
| text/x-python
|
PythonLexer
| r895 | # -*- coding: utf-8 -*- | |||
| """ | ||||
| rhodecode.lib.auth | ||||
| ~~~~~~~~~~~~~~~~~~ | ||||
| r1203 | ||||
| r895 | authentication and permission libraries | |||
| r1203 | ||||
| r895 | :created_on: Apr 4, 2010 | |||
| r1532 | :copyright: (C) 2009-2011 Marcin Kuzminski <marcin@python-works.com> | |||
| :license: GPLv3, see COPYING for more details. | ||||
| r895 | """ | |||
| r1206 | # This program is free software: you can redistribute it and/or modify | |||
| # it under the terms of the GNU General Public License as published by | ||||
| # the Free Software Foundation, either version 3 of the License, or | ||||
| # (at your option) any later version. | ||||
| r1203 | # | |||
| r547 | # This program is distributed in the hope that it will be useful, | |||
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | ||||
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||||
| # GNU General Public License for more details. | ||||
| r1203 | # | |||
| r547 | # You should have received a copy of the GNU General Public License | |||
| r1206 | # along with this program. If not, see <http://www.gnu.org/licenses/>. | |||
| r547 | ||||
| r895 | import random | |||
| import logging | ||||
| import traceback | ||||
| r1116 | import hashlib | |||
| r1118 | ||||
| r1116 | from tempfile import _RandomNameSequence | |||
| r895 | from decorator import decorator | |||
| r547 | from pylons import config, session, url, request | |||
| from pylons.controllers.util import abort, redirect | ||||
| r1056 | from pylons.i18n.translation import _ | |||
| r895 | ||||
| r1195 | from rhodecode import __platform__, PLATFORM_WIN, PLATFORM_OTHERS | |||
| r1118 | ||||
| r1195 | if __platform__ in PLATFORM_WIN: | |||
| r1118 | from hashlib import sha256 | |||
| r1195 | if __platform__ in PLATFORM_OTHERS: | |||
| r1118 | import bcrypt | |||
| r1425 | from rhodecode.lib import str2bool, safe_unicode | |||
| r895 | from rhodecode.lib.exceptions import LdapPasswordError, LdapUsernameError | |||
| r547 | from rhodecode.lib.utils import get_repo_slug | |||
| r713 | from rhodecode.lib.auth_ldap import AuthLdap | |||
| r895 | ||||
| r547 | from rhodecode.model import meta | |||
| r673 | from rhodecode.model.user import UserModel | |||
| r1530 | from rhodecode.model.db import Permission, RhodeCodeSettings, User | |||
| r895 | ||||
| r1246 | log = logging.getLogger(__name__) | |||
| r547 | ||||
| class PasswordGenerator(object): | ||||
| """This is a simple class for generating password from | ||||
| different sets of characters | ||||
| usage: | ||||
| passwd_gen = PasswordGenerator() | ||||
| r1246 | #print 8-letter password containing only big and small letters | |||
| of alphabet | ||||
| r1203 | print passwd_gen.gen_password(8, passwd_gen.ALPHABETS_BIG_SMALL) | |||
| r547 | """ | |||
| r1246 | ALPHABETS_NUM = r'''1234567890''' | |||
| ALPHABETS_SMALL = r'''qwertyuiopasdfghjklzxcvbnm''' | ||||
| ALPHABETS_BIG = r'''QWERTYUIOPASDFGHJKLZXCVBNM''' | ||||
| ALPHABETS_SPECIAL = r'''`-=[]\;',./~!@#$%^&*()_+{}|:"<>?''' | ||||
| ALPHABETS_FULL = ALPHABETS_BIG + ALPHABETS_SMALL \ | ||||
| + ALPHABETS_NUM + ALPHABETS_SPECIAL | ||||
| ALPHABETS_ALPHANUM = ALPHABETS_BIG + ALPHABETS_SMALL + ALPHABETS_NUM | ||||
| r547 | ALPHABETS_BIG_SMALL = ALPHABETS_BIG + ALPHABETS_SMALL | |||
| r1246 | ALPHABETS_ALPHANUM_BIG = ALPHABETS_BIG + ALPHABETS_NUM | |||
| ALPHABETS_ALPHANUM_SMALL = ALPHABETS_SMALL + ALPHABETS_NUM | ||||
| r673 | ||||
| r547 | def __init__(self, passwd=''): | |||
| self.passwd = passwd | ||||
| def gen_password(self, len, type): | ||||
| self.passwd = ''.join([random.choice(type) for _ in xrange(len)]) | ||||
| return self.passwd | ||||
| r1246 | ||||
| r1118 | class RhodeCodeCrypto(object): | |||
| @classmethod | ||||
| def hash_string(cls, str_): | ||||
| """ | ||||
| Cryptographic function used for password hashing based on pybcrypt | ||||
| or pycrypto in windows | ||||
| r1203 | ||||
| r1118 | :param password: password to hash | |||
| """ | ||||
| r1195 | if __platform__ in PLATFORM_WIN: | |||
| r1118 | return sha256(str_).hexdigest() | |||
| r1195 | elif __platform__ in PLATFORM_OTHERS: | |||
| r1118 | return bcrypt.hashpw(str_, bcrypt.gensalt(10)) | |||
| else: | ||||
| r1246 | raise Exception('Unknown or unsupported platform %s' \ | |||
| % __platform__) | ||||
| r1118 | ||||
| @classmethod | ||||
| def hash_check(cls, password, hashed): | ||||
| """ | ||||
| Checks matching password with it's hashed value, runs different | ||||
| implementation based on platform it runs on | ||||
| r1203 | ||||
| r1118 | :param password: password | |||
| :param hashed: password in hashed form | ||||
| """ | ||||
| r1195 | if __platform__ in PLATFORM_WIN: | |||
| r1118 | return sha256(password).hexdigest() == hashed | |||
| r1195 | elif __platform__ in PLATFORM_OTHERS: | |||
| r1118 | return bcrypt.hashpw(password, hashed) == hashed | |||
| else: | ||||
| r1246 | raise Exception('Unknown or unsupported platform %s' \ | |||
| % __platform__) | ||||
| r1118 | ||||
| r673 | ||||
| r547 | def get_crypt_password(password): | |||
| r1118 | return RhodeCodeCrypto.hash_string(password) | |||
| r1246 | ||||
| r1118 | def check_password(password, hashed): | |||
| return RhodeCodeCrypto.hash_check(password, hashed) | ||||
| r547 | ||||
| r1628 | def generate_api_key(str_, salt=None): | |||
| """ | ||||
| Generates API KEY from given string | ||||
| :param str_: | ||||
| :param salt: | ||||
| """ | ||||
| r1116 | if salt is None: | |||
| salt = _RandomNameSequence().next() | ||||
| r1628 | return hashlib.sha1(str_ + salt).hexdigest() | |||
| r1116 | ||||
| r1246 | ||||
| r547 | def authfunc(environ, username, password): | |||
| r1628 | """ | |||
| Dummy authentication function used in Mercurial/Git/ and access control, | ||||
| r1203 | ||||
| r761 | :param environ: needed only for using in Basic auth | |||
| """ | ||||
| return authenticate(username, password) | ||||
| def authenticate(username, password): | ||||
| r1628 | """ | |||
| Authentication function used for access control, | ||||
| r699 | firstly checks for db authentication then if ldap is enabled for ldap | |||
| r705 | authentication, also creates ldap user if not in database | |||
| r1203 | ||||
| r699 | :param username: username | |||
| :param password: password | ||||
| """ | ||||
| r1292 | ||||
| r705 | user_model = UserModel() | |||
| r1530 | user = User.get_by_username(username) | |||
| r699 | ||||
| r761 | log.debug('Authenticating user using RhodeCode account') | |||
Thayne Harbaugh
|
r991 | if user is not None and not user.ldap_dn: | ||
| r547 | if user.active: | |||
| r674 | if user.username == 'default' and user.active: | |||
| r761 | log.info('user %s authenticated correctly as anonymous user', | |||
| username) | ||||
| r674 | return True | |||
| r1246 | elif user.username == username and check_password(password, | |||
| user.password): | ||||
| r547 | log.info('user %s authenticated correctly', username) | |||
| return True | ||||
| else: | ||||
| r761 | log.warning('user %s is disabled', username) | |||
| r705 | ||||
| else: | ||||
| r761 | log.debug('Regular authentication failed') | |||
| r1530 | user_obj = User.get_by_username(username, case_insensitive=True) | |||
| r761 | ||||
|
Thayne Harbaugh
|
r991 | if user_obj is not None and not user_obj.ldap_dn: | ||
| r749 | log.debug('this user already exists as non ldap') | |||
| r748 | return False | |||
| r1292 | ldap_settings = RhodeCodeSettings.get_ldap_settings() | |||
| r705 | #====================================================================== | |||
| r1203 | # FALLBACK TO LDAP AUTH IF ENABLE | |||
| r705 | #====================================================================== | |||
| r1135 | if str2bool(ldap_settings.get('ldap_active')): | |||
| r761 | log.debug("Authenticating user using ldap") | |||
| r705 | kwargs = { | |||
| r1246 | 'server': ldap_settings.get('ldap_host', ''), | |||
| 'base_dn': ldap_settings.get('ldap_base_dn', ''), | ||||
| 'port': ldap_settings.get('ldap_port'), | ||||
| 'bind_dn': ldap_settings.get('ldap_dn_user'), | ||||
| 'bind_pass': ldap_settings.get('ldap_dn_pass'), | ||||
"Lorenzo M. Catucci"
|
r1290 | 'tls_kind': ldap_settings.get('ldap_tls_kind'), | ||
| r1246 | 'tls_reqcert': ldap_settings.get('ldap_tls_reqcert'), | |||
| 'ldap_filter': ldap_settings.get('ldap_filter'), | ||||
| 'search_scope': ldap_settings.get('ldap_search_scope'), | ||||
| 'attr_login': ldap_settings.get('ldap_attr_login'), | ||||
| 'ldap_version': 3, | ||||
| r705 | } | |||
| log.debug('Checking for ldap authentication') | ||||
| try: | ||||
| aldap = AuthLdap(**kwargs) | ||||
| r1246 | (user_dn, ldap_attrs) = aldap.authenticate_ldap(username, | |||
| password) | ||||
|
Thayne Harbaugh
|
r991 | log.debug('Got ldap DN response %s', user_dn) | ||
| r705 | ||||
| r1307 | get_ldap_attr = lambda k: ldap_attrs.get(ldap_settings\ | |||
| r1292 | .get(k), [''])[0] | |||
|
Thayne Harbaugh
|
r991 | user_attrs = { | ||
| r1425 | 'name': safe_unicode(get_ldap_attr('ldap_attr_firstname')), | |||
| 'lastname': safe_unicode(get_ldap_attr('ldap_attr_lastname')), | ||||
| 'email': get_ldap_attr('ldap_attr_email'), | ||||
| } | ||||
|
Thayne Harbaugh
|
r991 | |||
| r1246 | if user_model.create_ldap(username, password, user_dn, | |||
| user_attrs): | ||||
| r1016 | log.info('created new ldap user %s', username) | |||
| r705 | ||||
| r761 | return True | |||
| except (LdapUsernameError, LdapPasswordError,): | ||||
| pass | ||||
| except (Exception,): | ||||
| r705 | log.error(traceback.format_exc()) | |||
| r761 | pass | |||
| r547 | return False | |||
Liad Shani
|
r1621 | def login_container_auth(username): | ||
| user = User.get_by_username(username) | ||||
| if user is None: | ||||
| user_model = UserModel() | ||||
| user_attrs = { | ||||
| r1628 | 'name': username, | |||
| 'lastname': None, | ||||
| 'email': None, | ||||
| } | ||||
| user = user_model.create_for_container_auth(username, user_attrs) | ||||
| if not user: | ||||
|
Liad Shani
|
r1621 | return None | ||
| log.info('User %s was created by container authentication', username) | ||||
| if not user.active: | ||||
| return None | ||||
| user.update_lastlogin() | ||||
| r1628 | log.debug('User %s is now logged in by container authentication', | |||
| user.username) | ||||
|
Liad Shani
|
r1621 | return user | ||
| r1628 | def get_container_username(environ, cfg): | |||
|
Liad Shani
|
r1617 | from paste.httpheaders import REMOTE_USER | ||
| from paste.deploy.converters import asbool | ||||
|
Liad Shani
|
r1621 | |||
| r1628 | proxy_pass_enabled = asbool(cfg.get('proxypass_auth_enabled', False)) | |||
|
Liad Shani
|
r1617 | username = REMOTE_USER(environ) | ||
| r1628 | ||||
| if not username and proxy_pass_enabled: | ||||
|
Liad Shani
|
r1617 | username = environ.get('HTTP_X_FORWARDED_USER') | ||
| r1628 | if username and proxy_pass_enabled: | |||
| # Removing realm and domain from username | ||||
|
Liad Shani
|
r1617 | username = username.partition('@')[0] | ||
| username = username.rpartition('\\')[2] | ||||
| log.debug('Received username %s from container', username) | ||||
| return username | ||||
| r1246 | ||||
| r547 | class AuthUser(object): | |||
| r1117 | """ | |||
| A simple object that handles all attributes of user in RhodeCode | ||||
| r1203 | ||||
| r1117 | It does lookup based on API key,given user, or user present in session | |||
| r1203 | Then it fills all required information for such user. It also checks if | |||
| r1117 | anonymous access is enabled and if so, it returns default user as logged | |||
| in | ||||
| r547 | """ | |||
| r1016 | ||||
|
Liad Shani
|
r1613 | def __init__(self, user_id=None, api_key=None, username=None): | ||
| r1117 | ||||
| self.user_id = user_id | ||||
| r1120 | self.api_key = None | |||
|
Liad Shani
|
r1617 | self.username = username | ||
| r1628 | ||||
| r547 | self.name = '' | |||
| self.lastname = '' | ||||
| self.email = '' | ||||
| self.is_authenticated = False | ||||
| r1117 | self.admin = False | |||
| r547 | self.permissions = {} | |||
| r1120 | self._api_key = api_key | |||
| r1117 | self.propagate_data() | |||
| def propagate_data(self): | ||||
| user_model = UserModel() | ||||
| r1530 | self.anonymous_user = User.get_by_username('default') | |||
|
Liad Shani
|
r1613 | is_user_loaded = False | ||
| r1628 | ||||
| # try go get user by api key | ||||
| r1122 | if self._api_key and self._api_key != self.anonymous_user.api_key: | |||
| r1120 | log.debug('Auth User lookup by API KEY %s', self._api_key) | |||
|
Liad Shani
|
r1618 | is_user_loaded = user_model.fill_data(self, api_key=self._api_key) | ||
| r1628 | # lookup by userid | |||
| elif (self.user_id is not None and | ||||
| self.user_id != self.anonymous_user.user_id): | ||||
| r1117 | log.debug('Auth User lookup by USER ID %s', self.user_id) | |||
|
Liad Shani
|
r1618 | is_user_loaded = user_model.fill_data(self, user_id=self.user_id) | ||
| r1628 | # lookup by username | |||
|
Liad Shani
|
r1617 | elif self.username: | ||
|
Liad Shani
|
r1613 | log.debug('Auth User lookup by USER NAME %s', self.username) | ||
|
Liad Shani
|
r1621 | dbuser = login_container_auth(self.username) | ||
| if dbuser is not None: | ||||
|
Liad Shani
|
r1613 | for k, v in dbuser.get_dict().items(): | ||
| setattr(self, k, v) | ||||
| self.set_authenticated() | ||||
| is_user_loaded = True | ||||
| if not is_user_loaded: | ||||
| r1628 | # if we cannot authenticate user try anonymous | |||
|
Liad Shani
|
r1613 | if self.anonymous_user.active is True: | ||
| r1628 | user_model.fill_data(self,user_id=self.anonymous_user.user_id) | |||
| # then we set this user is logged in | ||||
|
Liad Shani
|
r1613 | self.is_authenticated = True | ||
| r1117 | else: | |||
|
Liad Shani
|
r1618 | self.user_id = None | ||
| self.username = None | ||||
|
Liad Shani
|
r1613 | self.is_authenticated = False | ||
| r1117 | ||||
|
Liad Shani
|
r1617 | if not self.username: | ||
| self.username = 'None' | ||||
| r1117 | log.debug('Auth User is now %s', self) | |||
| user_model.fill_perms(self) | ||||
| @property | ||||
| def is_admin(self): | ||||
| return self.admin | ||||
| r547 | ||||
| r1305 | @property | |||
| def full_contact(self): | ||||
| return '%s %s <%s>' % (self.name, self.lastname, self.email) | ||||
| r673 | def __repr__(self): | |||
| r1117 | return "<AuthUser('id:%s:%s|%s')>" % (self.user_id, self.username, | |||
| self.is_authenticated) | ||||
| def set_authenticated(self, authenticated=True): | ||||
| if self.user_id != self.anonymous_user.user_id: | ||||
| self.is_authenticated = authenticated | ||||
| r547 | ||||
| def set_available_permissions(config): | ||||
| r1628 | """ | |||
| This function will propagate pylons globals with all available defined | ||||
| r1203 | permission given in db. We don't want to check each time from db for new | |||
| r547 | permissions since adding a new permission also requires application restart | |||
| ie. to decorate new views with the newly created permission | ||||
| r1203 | ||||
| r895 | :param config: current pylons config instance | |||
| r1203 | ||||
| r547 | """ | |||
| log.info('getting information about all available permissions') | ||||
| try: | ||||
| r629 | sa = meta.Session() | |||
| r547 | all_perms = sa.query(Permission).all() | |||
| r629 | except: | |||
| pass | ||||
| r547 | finally: | |||
| meta.Session.remove() | ||||
| r673 | ||||
| r547 | config['available_permissions'] = [x.permission_name for x in all_perms] | |||
| r1246 | ||||
| #============================================================================== | ||||
| r547 | # CHECK DECORATORS | |||
| r1246 | #============================================================================== | |||
| r547 | class LoginRequired(object): | |||
| r1117 | """ | |||
| r1203 | Must be logged in to execute this function else | |||
| r1117 | redirect to login page | |||
| r1203 | ||||
| r1117 | :param api_access: if enabled this checks only for valid auth token | |||
| and grants access based on valid token | ||||
| """ | ||||
| def __init__(self, api_access=False): | ||||
| self.api_access = api_access | ||||
| r673 | ||||
| r547 | def __call__(self, func): | |||
| return decorator(self.__wrapper, func) | ||||
| r673 | ||||
| r547 | def __wrapper(self, func, *fargs, **fkwargs): | |||
| r1117 | cls = fargs[0] | |||
| user = cls.rhodecode_user | ||||
| api_access_ok = False | ||||
| if self.api_access: | ||||
| log.debug('Checking API KEY access for %s', cls) | ||||
| if user.api_key == request.GET.get('api_key'): | ||||
| api_access_ok = True | ||||
| else: | ||||
| log.debug("API KEY token not valid") | ||||
| log.debug('Checking if %s is authenticated @ %s', user.username, cls) | ||||
| if user.is_authenticated or api_access_ok: | ||||
| r547 | log.debug('user %s is authenticated', user.username) | |||
| return func(*fargs, **fkwargs) | ||||
| else: | ||||
| r1117 | log.warn('user %s NOT authenticated', user.username) | |||
| r1207 | p = url.current() | |||
| r673 | ||||
| log.debug('redirecting to login page with %s', p) | ||||
| r547 | return redirect(url('login_home', came_from=p)) | |||
| r1246 | ||||
| r779 | class NotAnonymous(object): | |||
| r1203 | """Must be logged in to execute this function else | |||
| r779 | redirect to login page""" | |||
| def __call__(self, func): | ||||
| return decorator(self.__wrapper, func) | ||||
| def __wrapper(self, func, *fargs, **fkwargs): | ||||
| r1117 | cls = fargs[0] | |||
| self.user = cls.rhodecode_user | ||||
| r779 | ||||
| r1117 | log.debug('Checking if user is not anonymous @%s', cls) | |||
| anonymous = self.user.username == 'default' | ||||
| r779 | ||||
| if anonymous: | ||||
| r1335 | p = url.current() | |||
| r1056 | ||||
| import rhodecode.lib.helpers as h | ||||
| r1246 | h.flash(_('You need to be a registered user to ' | |||
| 'perform this action'), | ||||
| r1056 | category='warning') | |||
| r779 | return redirect(url('login_home', came_from=p)) | |||
| else: | ||||
| return func(*fargs, **fkwargs) | ||||
| r1246 | ||||
| r547 | class PermsDecorator(object): | |||
| r1117 | """Base class for controller decorators""" | |||
| r673 | ||||
| r547 | def __init__(self, *required_perms): | |||
| available_perms = config['available_permissions'] | ||||
| for perm in required_perms: | ||||
| if perm not in available_perms: | ||||
| raise Exception("'%s' permission is not defined" % perm) | ||||
| self.required_perms = set(required_perms) | ||||
| self.user_perms = None | ||||
| r673 | ||||
| r547 | def __call__(self, func): | |||
| return decorator(self.__wrapper, func) | ||||
| r673 | ||||
| r547 | def __wrapper(self, func, *fargs, **fkwargs): | |||
| r1117 | cls = fargs[0] | |||
| self.user = cls.rhodecode_user | ||||
| r673 | self.user_perms = self.user.permissions | |||
| log.debug('checking %s permissions %s for %s %s', | ||||
| r1117 | self.__class__.__name__, self.required_perms, cls, | |||
| r673 | self.user) | |||
| r547 | ||||
| if self.check_permissions(): | ||||
| r1117 | log.debug('Permission granted for %s %s', cls, self.user) | |||
| r547 | return func(*fargs, **fkwargs) | |||
| r673 | ||||
| r547 | else: | |||
| r1117 | log.warning('Permission denied for %s %s', cls, self.user) | |||
| r1336 | ||||
| anonymous = self.user.username == 'default' | ||||
| if anonymous: | ||||
| p = url.current() | ||||
| import rhodecode.lib.helpers as h | ||||
| h.flash(_('You need to be a signed in to ' | ||||
| 'view this page'), | ||||
| category='warning') | ||||
| return redirect(url('login_home', came_from=p)) | ||||
| else: | ||||
| r1628 | # redirect with forbidden ret code | |||
| r1336 | return abort(403) | |||
| r547 | ||||
| def check_permissions(self): | ||||
| """Dummy function for overriding""" | ||||
| raise Exception('You have to write this function in child class') | ||||
| r1246 | ||||
| r547 | class HasPermissionAllDecorator(PermsDecorator): | |||
| r1203 | """Checks for access permission for all given predicates. All of them | |||
| r547 | have to be meet in order to fulfill the request | |||
| """ | ||||
| r673 | ||||
| r547 | def check_permissions(self): | |||
| if self.required_perms.issubset(self.user_perms.get('global')): | ||||
| return True | ||||
| return False | ||||
| r673 | ||||
| r547 | ||||
| class HasPermissionAnyDecorator(PermsDecorator): | ||||
| r1203 | """Checks for access permission for any of given predicates. In order to | |||
| r547 | fulfill the request any of predicates must be meet | |||
| """ | ||||
| r673 | ||||
| r547 | def check_permissions(self): | |||
| if self.required_perms.intersection(self.user_perms.get('global')): | ||||
| return True | ||||
| return False | ||||
| r1246 | ||||
| r547 | class HasRepoPermissionAllDecorator(PermsDecorator): | |||
| r1203 | """Checks for access permission for all given predicates for specific | |||
| r547 | repository. All of them have to be meet in order to fulfill the request | |||
| """ | ||||
| r673 | ||||
| r547 | def check_permissions(self): | |||
| repo_name = get_repo_slug(request) | ||||
| try: | ||||
| user_perms = set([self.user_perms['repositories'][repo_name]]) | ||||
| except KeyError: | ||||
| return False | ||||
| if self.required_perms.issubset(user_perms): | ||||
| return True | ||||
| return False | ||||
| r673 | ||||
| r547 | ||||
| class HasRepoPermissionAnyDecorator(PermsDecorator): | ||||
| r1203 | """Checks for access permission for any of given predicates for specific | |||
| r547 | repository. In order to fulfill the request any of predicates must be meet | |||
| """ | ||||
| r673 | ||||
| r547 | def check_permissions(self): | |||
| repo_name = get_repo_slug(request) | ||||
| r673 | ||||
| r547 | try: | |||
| user_perms = set([self.user_perms['repositories'][repo_name]]) | ||||
| except KeyError: | ||||
| return False | ||||
| if self.required_perms.intersection(user_perms): | ||||
| return True | ||||
| return False | ||||
| r1246 | ||||
| #============================================================================== | ||||
| r547 | # CHECK FUNCTIONS | |||
| r1246 | #============================================================================== | |||
| r547 | class PermsFunction(object): | |||
| """Base function for other check functions""" | ||||
| r673 | ||||
| r547 | def __init__(self, *perms): | |||
| available_perms = config['available_permissions'] | ||||
| r673 | ||||
| r547 | for perm in perms: | |||
| if perm not in available_perms: | ||||
| raise Exception("'%s' permission in not defined" % perm) | ||||
| self.required_perms = set(perms) | ||||
| self.user_perms = None | ||||
| self.granted_for = '' | ||||
| self.repo_name = None | ||||
| r673 | ||||
| r547 | def __call__(self, check_Location=''): | |||
| r548 | user = session.get('rhodecode_user', False) | |||
| r547 | if not user: | |||
| return False | ||||
| self.user_perms = user.permissions | ||||
| r1117 | self.granted_for = user | |||
| r673 | log.debug('checking %s %s %s', self.__class__.__name__, | |||
| self.required_perms, user) | ||||
| r547 | if self.check_permissions(): | |||
| r1117 | log.debug('Permission granted %s @ %s', self.granted_for, | |||
| check_Location or 'unspecified location') | ||||
| r547 | return True | |||
| r673 | ||||
| r547 | else: | |||
| r1117 | log.warning('Permission denied for %s @ %s', self.granted_for, | |||
| check_Location or 'unspecified location') | ||||
| r673 | return False | |||
| r547 | def check_permissions(self): | |||
| """Dummy function for overriding""" | ||||
| raise Exception('You have to write this function in child class') | ||||
| r673 | ||||
| r1246 | ||||
| r547 | class HasPermissionAll(PermsFunction): | |||
| def check_permissions(self): | ||||
| if self.required_perms.issubset(self.user_perms.get('global')): | ||||
| return True | ||||
| return False | ||||
| r1246 | ||||
| r547 | class HasPermissionAny(PermsFunction): | |||
| def check_permissions(self): | ||||
| if self.required_perms.intersection(self.user_perms.get('global')): | ||||
| return True | ||||
| return False | ||||
| r1246 | ||||
| r547 | class HasRepoPermissionAll(PermsFunction): | |||
| r673 | ||||
| r547 | def __call__(self, repo_name=None, check_Location=''): | |||
| self.repo_name = repo_name | ||||
| return super(HasRepoPermissionAll, self).__call__(check_Location) | ||||
| r673 | ||||
| r547 | def check_permissions(self): | |||
| if not self.repo_name: | ||||
| self.repo_name = get_repo_slug(request) | ||||
| try: | ||||
| r1246 | self.user_perms = set([self.user_perms['reposit' | |||
| 'ories'][self.repo_name]]) | ||||
| r547 | except KeyError: | |||
| return False | ||||
| r673 | self.granted_for = self.repo_name | |||
| r547 | if self.required_perms.issubset(self.user_perms): | |||
| return True | ||||
| return False | ||||
| r673 | ||||
| r1246 | ||||
| r547 | class HasRepoPermissionAny(PermsFunction): | |||
| r673 | ||||
| r547 | def __call__(self, repo_name=None, check_Location=''): | |||
| self.repo_name = repo_name | ||||
| return super(HasRepoPermissionAny, self).__call__(check_Location) | ||||
| r673 | ||||
| r547 | def check_permissions(self): | |||
| if not self.repo_name: | ||||
| self.repo_name = get_repo_slug(request) | ||||
| try: | ||||
| r1246 | self.user_perms = set([self.user_perms['reposi' | |||
| 'tories'][self.repo_name]]) | ||||
| r547 | except KeyError: | |||
| return False | ||||
| self.granted_for = self.repo_name | ||||
| if self.required_perms.intersection(self.user_perms): | ||||
| return True | ||||
| return False | ||||
| r1246 | ||||
| #============================================================================== | ||||
| r547 | # SPECIAL VERSION TO HANDLE MIDDLEWARE AUTH | |||
| r1246 | #============================================================================== | |||
| r547 | class HasPermissionAnyMiddleware(object): | |||
| def __init__(self, *perms): | ||||
| self.required_perms = set(perms) | ||||
| r673 | ||||
| r547 | def __call__(self, user, repo_name): | |||
| r1117 | usr = AuthUser(user.user_id) | |||
| r547 | try: | |||
| r1117 | self.user_perms = set([usr.permissions['repositories'][repo_name]]) | |||
| r547 | except: | |||
| self.user_perms = set() | ||||
| self.granted_for = '' | ||||
| self.username = user.username | ||||
| r673 | self.repo_name = repo_name | |||
| r547 | return self.check_permissions() | |||
| r673 | ||||
| r547 | def check_permissions(self): | |||
| log.debug('checking mercurial protocol ' | ||||
| r1040 | 'permissions %s for user:%s repository:%s', self.user_perms, | |||
| r547 | self.username, self.repo_name) | |||
| if self.required_perms.intersection(self.user_perms): | ||||
| log.debug('permission granted') | ||||
| return True | ||||
| log.debug('permission denied') | ||||
| return False | ||||
| r1628 | ||||
