auth.py
454 lines
| 16.2 KiB
| text/x-python
|
PythonLexer
r252 | #!/usr/bin/env python | |||
# encoding: utf-8 | ||||
# authentication and permission libraries | ||||
# Copyright (C) 2009-2010 Marcin Kuzminski <marcin@python-works.com> | ||||
r377 | # | |||
r252 | # This program is free software; you can redistribute it and/or | |||
# modify it under the terms of the GNU General Public License | ||||
# as published by the Free Software Foundation; version 2 | ||||
# of the License or (at your opinion) any later version of the license. | ||||
# | ||||
# This program is distributed in the hope that it will be useful, | ||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | ||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||||
# GNU General Public License for more details. | ||||
# | ||||
# You should have received a copy of the GNU General Public License | ||||
# along with this program; if not, write to the Free Software | ||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, | ||||
# MA 02110-1301, USA. | ||||
r381 | """ | |||
Created on April 4, 2010 | ||||
@author: marcink | ||||
""" | ||||
r343 | from beaker.cache import cache_region | |||
from pylons import config, session, url, request | ||||
r52 | from pylons.controllers.util import abort, redirect | |||
r343 | from pylons_app.lib.utils import get_repo_slug | |||
Marcin Kuzminski
|
r64 | from pylons_app.model import meta | ||
r417 | from pylons_app.model.db import User, RepoToPerm, Repository, Permission, \ | |||
UserToPerm | ||||
r190 | from sqlalchemy.exc import OperationalError | |||
Marcin Kuzminski
|
r64 | from sqlalchemy.orm.exc import NoResultFound, MultipleResultsFound | ||
r415 | import bcrypt | |||
r377 | from decorator import decorator | |||
r190 | import logging | |||
r343 | ||||
r316 | log = logging.getLogger(__name__) | |||
Marcin Kuzminski
|
r41 | |||
Marcin Kuzminski
|
r64 | def get_crypt_password(password): | ||
r412 | """Cryptographic function used for password hashing based on sha1 | |||
r190 | @param password: password to hash | |||
r415 | """ | |||
return bcrypt.hashpw(password, bcrypt.gensalt(10)) | ||||
def check_password(password, hashed): | ||||
return bcrypt.hashpw(password, hashed) == hashed | ||||
r343 | ||||
@cache_region('super_short_term', 'cached_user') | ||||
def get_user_cached(username): | ||||
sa = meta.Session | ||||
r350 | try: | |||
user = sa.query(User).filter(User.username == username).one() | ||||
finally: | ||||
meta.Session.remove() | ||||
r343 | return user | |||
Marcin Kuzminski
|
r41 | def authfunc(environ, username, password): | ||
r42 | try: | |||
r343 | user = get_user_cached(username) | |||
Marcin Kuzminski
|
r64 | except (NoResultFound, MultipleResultsFound, OperationalError) as e: | ||
r42 | log.error(e) | |||
Marcin Kuzminski
|
r64 | user = None | ||
if user: | ||||
if user.active: | ||||
r415 | if user.username == username and check_password(password, user.password): | |||
Marcin Kuzminski
|
r41 | log.info('user %s authenticated correctly', username) | ||
return True | ||||
else: | ||||
log.error('user %s is disabled', username) | ||||
return False | ||||
r190 | class AuthUser(object): | |||
""" | ||||
A simple object that handles a mercurial username for authentication | ||||
""" | ||||
def __init__(self): | ||||
r316 | self.username = 'None' | |||
r355 | self.name = '' | |||
self.lastname = '' | ||||
r404 | self.email = '' | |||
r316 | self.user_id = None | |||
self.is_authenticated = False | ||||
self.is_admin = False | ||||
self.permissions = {} | ||||
r239 | ||||
def set_available_permissions(config): | ||||
""" | ||||
This function will propagate pylons globals with all available defined | ||||
permission given in db. We don't wannt to check each time from db for new | ||||
permissions since adding a new permission also requires application restart | ||||
ie. to decorate new views with the newly created permission | ||||
@param config: | ||||
""" | ||||
r316 | log.info('getting information about all available permissions') | |||
r350 | try: | |||
sa = meta.Session | ||||
all_perms = sa.query(Permission).all() | ||||
finally: | ||||
meta.Session.remove() | ||||
r316 | config['available_permissions'] = [x.permission_name for x in all_perms] | |||
def set_base_path(config): | ||||
config['base_path'] = config['pylons.app_globals'].base_path | ||||
r371 | ||||
def fill_data(user): | ||||
""" | ||||
r382 | Fills user data with those from database and log out user if not present | |||
in database | ||||
r371 | @param user: | |||
""" | ||||
sa = meta.Session | ||||
dbuser = sa.query(User).get(user.user_id) | ||||
r382 | if dbuser: | |||
user.username = dbuser.username | ||||
user.is_admin = dbuser.admin | ||||
user.name = dbuser.name | ||||
user.lastname = dbuser.lastname | ||||
r404 | user.email = dbuser.email | |||
r382 | else: | |||
user.is_authenticated = False | ||||
r371 | meta.Session.remove() | |||
return user | ||||
r316 | def fill_perms(user): | |||
r367 | """ | |||
Fills user permission attribute with permissions taken from database | ||||
@param user: | ||||
""" | ||||
r316 | sa = meta.Session | |||
user.permissions['repositories'] = {} | ||||
r371 | user.permissions['global'] = set() | |||
r316 | ||||
r417 | #=========================================================================== | |||
# fetch default permissions | ||||
#=========================================================================== | ||||
r423 | default_perms = sa.query(RepoToPerm, Repository, Permission)\ | |||
r399 | .join((Repository, RepoToPerm.repository_id == Repository.repo_id))\ | |||
.join((Permission, RepoToPerm.permission_id == Permission.permission_id))\ | ||||
r423 | .filter(RepoToPerm.user == sa.query(User).filter(User.username == | |||
'default').scalar()).all() | ||||
r417 | ||||
r316 | if user.is_admin: | |||
r417 | #======================================================================= | |||
r423 | # #admin have all default rights set to admin | |||
r417 | #======================================================================= | |||
r371 | user.permissions['global'].add('hg.admin') | |||
r417 | ||||
r316 | for perm in default_perms: | |||
p = 'repository.admin' | ||||
r399 | user.permissions['repositories'][perm.RepoToPerm.repository.repo_name] = p | |||
r316 | ||||
else: | ||||
r417 | #======================================================================= | |||
# set default permissions | ||||
#======================================================================= | ||||
r412 | ||||
r417 | #default global | |||
r423 | default_global_perms = sa.query(UserToPerm)\ | |||
.filter(UserToPerm.user == sa.query(User).filter(User.username == | ||||
'default').one()) | ||||
for perm in default_global_perms: | ||||
user.permissions['global'].add(perm.permission.permission_name) | ||||
r418 | ||||
r417 | #default repositories | |||
r316 | for perm in default_perms: | |||
r380 | if perm.Repository.private and not perm.Repository.user_id == user.user_id: | |||
r316 | #disable defaults for private repos, | |||
p = 'repository.none' | ||||
elif perm.Repository.user_id == user.user_id: | ||||
#set admin if owner | ||||
p = 'repository.admin' | ||||
else: | ||||
p = perm.Permission.permission_name | ||||
r399 | user.permissions['repositories'][perm.RepoToPerm.repository.repo_name] = p | |||
r316 | ||||
r417 | #======================================================================= | |||
# #overwrite default with user permissions if any | ||||
#======================================================================= | ||||
r423 | user_perms = sa.query(RepoToPerm, Permission, Repository)\ | |||
r399 | .join((Repository, RepoToPerm.repository_id == Repository.repo_id))\ | |||
.join((Permission, RepoToPerm.permission_id == Permission.permission_id))\ | ||||
.filter(RepoToPerm.user_id == user.user_id).all() | ||||
r417 | ||||
r316 | for perm in user_perms: | |||
r417 | if perm.Repository.user_id == user.user_id:#set admin if owner | |||
p = 'repository.admin' | ||||
r316 | else: | |||
p = perm.Permission.permission_name | ||||
r399 | user.permissions['repositories'][perm.RepoToPerm.repository.repo_name] = p | |||
r350 | meta.Session.remove() | |||
r316 | return user | |||
r299 | def get_user(session): | |||
""" | ||||
Gets user from session, and wraps permissions into user | ||||
@param session: | ||||
""" | ||||
user = session.get('hg_app_user', AuthUser()) | ||||
if user.is_authenticated: | ||||
r371 | user = fill_data(user) | |||
r412 | user = fill_perms(user) | |||
r316 | session['hg_app_user'] = user | |||
session.save() | ||||
r299 | return user | |||
r239 | ||||
r190 | #=============================================================================== | |||
r316 | # CHECK DECORATORS | |||
r190 | #=============================================================================== | |||
class LoginRequired(object): | ||||
r377 | """Must be logged in to execute this function else redirect to login page""" | |||
r316 | ||||
r190 | def __call__(self, func): | |||
r377 | return decorator(self.__wrapper, func) | |||
def __wrapper(self, func, *fargs, **fkwargs): | ||||
user = session.get('hg_app_user', AuthUser()) | ||||
log.debug('Checking login required for user:%s', user.username) | ||||
if user.is_authenticated: | ||||
log.debug('user %s is authenticated', user.username) | ||||
return func(*fargs, **fkwargs) | ||||
else: | ||||
log.warn('user %s not authenticated', user.username) | ||||
r437 | ||||
p = request.environ.get('PATH_INFO') | ||||
if request.environ.get('QUERY_STRING'): | ||||
p+='?'+request.environ.get('QUERY_STRING') | ||||
r442 | log.debug('redirecting to login page with %s',p) | |||
r437 | return redirect(url('login_home',came_from=p)) | |||
r239 | ||||
class PermsDecorator(object): | ||||
r377 | """Base class for decorators""" | |||
r239 | ||||
r316 | def __init__(self, *required_perms): | |||
available_perms = config['available_permissions'] | ||||
for perm in required_perms: | ||||
r239 | if perm not in available_perms: | |||
r316 | raise Exception("'%s' permission is not defined" % perm) | |||
self.required_perms = set(required_perms) | ||||
self.user_perms = None | ||||
r239 | ||||
r316 | def __call__(self, func): | |||
r377 | return decorator(self.__wrapper, func) | |||
def __wrapper(self, func, *fargs, **fkwargs): | ||||
# _wrapper.__name__ = func.__name__ | ||||
# _wrapper.__dict__.update(func.__dict__) | ||||
# _wrapper.__doc__ = func.__doc__ | ||||
self.user_perms = session.get('hg_app_user', AuthUser()).permissions | ||||
log.debug('checking %s permissions %s for %s', | ||||
self.__class__.__name__, self.required_perms, func.__name__) | ||||
if self.check_permissions(): | ||||
log.debug('Permission granted for %s', func.__name__) | ||||
r239 | ||||
r377 | return func(*fargs, **fkwargs) | |||
else: | ||||
log.warning('Permission denied for %s', func.__name__) | ||||
#redirect with forbidden ret code | ||||
return abort(403) | ||||
r239 | ||||
def check_permissions(self): | ||||
r377 | """Dummy function for overriding""" | |||
r239 | raise Exception('You have to write this function in child class') | |||
r316 | class HasPermissionAllDecorator(PermsDecorator): | |||
r377 | """Checks for access permission for all given predicates. All of them | |||
have to be meet in order to fulfill the request | ||||
r239 | """ | |||
def check_permissions(self): | ||||
r339 | if self.required_perms.issubset(self.user_perms.get('global')): | |||
r239 | return True | |||
return False | ||||
r316 | class HasPermissionAnyDecorator(PermsDecorator): | |||
r377 | """Checks for access permission for any of given predicates. In order to | |||
r239 | fulfill the request any of predicates must be meet | |||
""" | ||||
def check_permissions(self): | ||||
r339 | if self.required_perms.intersection(self.user_perms.get('global')): | |||
r316 | return True | |||
return False | ||||
class HasRepoPermissionAllDecorator(PermsDecorator): | ||||
r377 | """Checks for access permission for all given predicates for specific | |||
r316 | repository. All of them have to be meet in order to fulfill the request | |||
""" | ||||
def check_permissions(self): | ||||
repo_name = get_repo_slug(request) | ||||
r339 | try: | |||
user_perms = set([self.user_perms['repositories'][repo_name]]) | ||||
except KeyError: | ||||
return False | ||||
r316 | if self.required_perms.issubset(user_perms): | |||
return True | ||||
return False | ||||
class HasRepoPermissionAnyDecorator(PermsDecorator): | ||||
r377 | """Checks for access permission for any of given predicates for specific | |||
r316 | repository. In order to fulfill the request any of predicates must be meet | |||
""" | ||||
def check_permissions(self): | ||||
repo_name = get_repo_slug(request) | ||||
r339 | try: | |||
user_perms = set([self.user_perms['repositories'][repo_name]]) | ||||
except KeyError: | ||||
return False | ||||
r316 | if self.required_perms.intersection(user_perms): | |||
return True | ||||
return False | ||||
#=============================================================================== | ||||
# CHECK FUNCTIONS | ||||
#=============================================================================== | ||||
class PermsFunction(object): | ||||
r377 | """Base function for other check functions""" | |||
r316 | ||||
def __init__(self, *perms): | ||||
available_perms = config['available_permissions'] | ||||
for perm in perms: | ||||
if perm not in available_perms: | ||||
raise Exception("'%s' permission in not defined" % perm) | ||||
self.required_perms = set(perms) | ||||
self.user_perms = None | ||||
self.granted_for = '' | ||||
self.repo_name = None | ||||
def __call__(self, check_Location=''): | ||||
r333 | user = session.get('hg_app_user', False) | |||
if not user: | ||||
return False | ||||
r316 | self.user_perms = user.permissions | |||
self.granted_for = user.username | ||||
log.debug('checking %s %s', self.__class__.__name__, self.required_perms) | ||||
if self.check_permissions(): | ||||
log.debug('Permission granted for %s @%s', self.granted_for, | ||||
check_Location) | ||||
return True | ||||
else: | ||||
log.warning('Permission denied for %s @%s', self.granted_for, | ||||
check_Location) | ||||
return False | ||||
def check_permissions(self): | ||||
r377 | """Dummy function for overriding""" | |||
r316 | raise Exception('You have to write this function in child class') | |||
class HasPermissionAll(PermsFunction): | ||||
def check_permissions(self): | ||||
r339 | if self.required_perms.issubset(self.user_perms.get('global')): | |||
r316 | return True | |||
return False | ||||
class HasPermissionAny(PermsFunction): | ||||
def check_permissions(self): | ||||
r339 | if self.required_perms.intersection(self.user_perms.get('global')): | |||
r316 | return True | |||
return False | ||||
class HasRepoPermissionAll(PermsFunction): | ||||
def __call__(self, repo_name=None, check_Location=''): | ||||
self.repo_name = repo_name | ||||
return super(HasRepoPermissionAll, self).__call__(check_Location) | ||||
def check_permissions(self): | ||||
if not self.repo_name: | ||||
self.repo_name = get_repo_slug(request) | ||||
r339 | try: | |||
self.user_perms = set([self.user_perms['repositories']\ | ||||
[self.repo_name]]) | ||||
except KeyError: | ||||
return False | ||||
r316 | self.granted_for = self.repo_name | |||
if self.required_perms.issubset(self.user_perms): | ||||
return True | ||||
return False | ||||
class HasRepoPermissionAny(PermsFunction): | ||||
def __call__(self, repo_name=None, check_Location=''): | ||||
self.repo_name = repo_name | ||||
return super(HasRepoPermissionAny, self).__call__(check_Location) | ||||
def check_permissions(self): | ||||
if not self.repo_name: | ||||
self.repo_name = get_repo_slug(request) | ||||
r339 | try: | |||
self.user_perms = set([self.user_perms['repositories']\ | ||||
[self.repo_name]]) | ||||
except KeyError: | ||||
return False | ||||
r316 | self.granted_for = self.repo_name | |||
r239 | if self.required_perms.intersection(self.user_perms): | |||
return True | ||||
return False | ||||
r316 | #=============================================================================== | |||
# SPECIAL VERSION TO HANDLE MIDDLEWARE AUTH | ||||
#=============================================================================== | ||||
r239 | ||||
r316 | class HasPermissionAnyMiddleware(object): | |||
def __init__(self, *perms): | ||||
self.required_perms = set(perms) | ||||
def __call__(self, user, repo_name): | ||||
usr = AuthUser() | ||||
usr.user_id = user.user_id | ||||
usr.username = user.username | ||||
usr.is_admin = user.admin | ||||
try: | ||||
self.user_perms = set([fill_perms(usr)\ | ||||
.permissions['repositories'][repo_name]]) | ||||
except: | ||||
self.user_perms = set() | ||||
self.granted_for = '' | ||||
self.username = user.username | ||||
self.repo_name = repo_name | ||||
return self.check_permissions() | ||||
def check_permissions(self): | ||||
log.debug('checking mercurial protocol ' | ||||
'permissions for user:%s repository:%s', | ||||
self.username, self.repo_name) | ||||
if self.required_perms.intersection(self.user_perms): | ||||
log.debug('permission granted') | ||||
return True | ||||
log.debug('permission denied') | ||||
return False | ||||