##// END OF EJS Templates
Fix a lot of casings - use standard casing in most places
Fix a lot of casings - use standard casing in most places

File last commit:

r3632:1ec67ddc beta
r3654:ec635494 beta
Show More
auth.py
1030 lines | 35.0 KiB | text/x-python | PythonLexer
Added some more details into user edit permissions view
r895 # -*- coding: utf-8 -*-
"""
rhodecode.lib.auth
~~~~~~~~~~~~~~~~~~
source code cleanup: remove trailing white space, normalize file endings
r1203
Added some more details into user edit permissions view
r895 authentication and permission libraries
source code cleanup: remove trailing white space, normalize file endings
r1203
Added some more details into user edit permissions view
r895 :created_on: Apr 4, 2010
2012 copyrights
r1824 :author: marcink
:copyright: (C) 2010-2012 Marcin Kuzminski <marcin@python-works.com>
updated docstrings
r1532 :license: GPLv3, see COPYING for more details.
Added some more details into user edit permissions view
r895 """
fixed license issue #149
r1206 # This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
source code cleanup: remove trailing white space, normalize file endings
r1203 #
renamed project to rhodecode
r547 # This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
source code cleanup: remove trailing white space, normalize file endings
r1203 #
renamed project to rhodecode
r547 # You should have received a copy of the GNU General Public License
fixed license issue #149
r1206 # along with this program. If not, see <http://www.gnu.org/licenses/>.
renamed project to rhodecode
r547
Added some more details into user edit permissions view
r895 import random
import logging
import traceback
Added api_key into user, api key get's generated again after password change...
r1116 import hashlib
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"...
r1118
Added api_key into user, api key get's generated again after password change...
r1116 from tempfile import _RandomNameSequence
Added some more details into user edit permissions view
r895 from decorator import decorator
#227 Initial version of repository groups permissions system...
r1982 from pylons import config, url, request
renamed project to rhodecode
r547 from pylons.controllers.util import abort, redirect
#113 removed anonymous access from forking, added system messages in login box.
r1056 from pylons.i18n.translation import _
IP restrictions now also enabled for IPv6
r3212 from sqlalchemy.orm.exc import ObjectDeletedError
Added some more details into user edit permissions view
r895
Deprecated validation of operating system, we just care if it's windows, let approve all other...
r2634 from rhodecode import __platform__, is_windows, is_unix
commit less models...
r1749 from rhodecode.model.meta import Session
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"...
r1118
utils/conf...
r2109 from rhodecode.lib.utils2 import str2bool, safe_unicode
Mads Kiilerich
ldap: handle more elegantly that python-ldap isn't installed when trying to use ldap...
r3632 from rhodecode.lib.exceptions import LdapPasswordError, LdapUsernameError,\
LdapImportError
#227 Initial version of repository groups permissions system...
r1982 from rhodecode.lib.utils import get_repo_slug, get_repos_group_slug
fixed #72 show warning on removal when user still is owner of existing repositories...
r713 from rhodecode.lib.auth_ldap import AuthLdap
Added some more details into user edit permissions view
r895
renamed project to rhodecode
r547 from rhodecode.model import meta
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673 from rhodecode.model.user import UserModel
Added UserIpMap interface for allowed IP addresses and IP restriction access...
r3125 from rhodecode.model.db import Permission, RhodeCodeSetting, User, UserIpMap
Full IP restrictions enabled...
r3146 from rhodecode.lib.caching_query import FromCache
Added some more details into user edit permissions view
r895
PEP8ify
r1246 log = logging.getLogger(__name__)
renamed project to rhodecode
r547
class PasswordGenerator(object):
notification to commit author + gardening
r1716 """
auto white-space removal
r1818 This is a simple class for generating password from different sets of
notification to commit author + gardening
r1716 characters
usage::
renamed project to rhodecode
r547 passwd_gen = PasswordGenerator()
PEP8ify
r1246 #print 8-letter password containing only big and small letters
of alphabet
print statement cleanup
r2278 passwd_gen.gen_password(8, passwd_gen.ALPHABETS_BIG_SMALL)
renamed project to rhodecode
r547 """
PEP8ify
r1246 ALPHABETS_NUM = r'''1234567890'''
ALPHABETS_SMALL = r'''qwertyuiopasdfghjklzxcvbnm'''
ALPHABETS_BIG = r'''QWERTYUIOPASDFGHJKLZXCVBNM'''
ALPHABETS_SPECIAL = r'''`-=[]\;',./~!@#$%^&*()_+{}|:"<>?'''
ALPHABETS_FULL = ALPHABETS_BIG + ALPHABETS_SMALL \
+ ALPHABETS_NUM + ALPHABETS_SPECIAL
ALPHABETS_ALPHANUM = ALPHABETS_BIG + ALPHABETS_SMALL + ALPHABETS_NUM
renamed project to rhodecode
r547 ALPHABETS_BIG_SMALL = ALPHABETS_BIG + ALPHABETS_SMALL
PEP8ify
r1246 ALPHABETS_ALPHANUM_BIG = ALPHABETS_BIG + ALPHABETS_NUM
ALPHABETS_ALPHANUM_SMALL = ALPHABETS_SMALL + ALPHABETS_NUM
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673
renamed project to rhodecode
r547 def __init__(self, passwd=''):
self.passwd = passwd
added optional password type in password generator
r1993 def gen_password(self, length, type_=None):
if type_ is None:
type_ = self.ALPHABETS_FULL
#227 Initial version of repository groups permissions system...
r1982 self.passwd = ''.join([random.choice(type_) for _ in xrange(length)])
renamed project to rhodecode
r547 return self.passwd
PEP8ify
r1246
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"...
r1118 class RhodeCodeCrypto(object):
@classmethod
def hash_string(cls, str_):
"""
Cryptographic function used for password hashing based on pybcrypt
or pycrypto in windows
source code cleanup: remove trailing white space, normalize file endings
r1203
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"...
r1118 :param password: password to hash
"""
Deprecated validation of operating system, we just care if it's windows, let approve all other...
r2634 if is_windows:
Added validation into user email map
r2479 from hashlib import sha256
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"...
r1118 return sha256(str_).hexdigest()
Deprecated validation of operating system, we just care if it's windows, let approve all other...
r2634 elif is_unix:
Added validation into user email map
r2479 import bcrypt
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"...
r1118 return bcrypt.hashpw(str_, bcrypt.gensalt(10))
else:
PEP8ify
r1246 raise Exception('Unknown or unsupported platform %s' \
% __platform__)
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"...
r1118
@classmethod
def hash_check(cls, password, hashed):
"""
Checks matching password with it's hashed value, runs different
implementation based on platform it runs on
source code cleanup: remove trailing white space, normalize file endings
r1203
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"...
r1118 :param password: password
:param hashed: password in hashed form
"""
Deprecated validation of operating system, we just care if it's windows, let approve all other...
r2634 if is_windows:
Added validation into user email map
r2479 from hashlib import sha256
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"...
r1118 return sha256(password).hexdigest() == hashed
Deprecated validation of operating system, we just care if it's windows, let approve all other...
r2634 elif is_unix:
Added validation into user email map
r2479 import bcrypt
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"...
r1118 return bcrypt.hashpw(password, hashed) == hashed
else:
PEP8ify
r1246 raise Exception('Unknown or unsupported platform %s' \
% __platform__)
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"...
r1118
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673
renamed project to rhodecode
r547 def get_crypt_password(password):
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"...
r1118 return RhodeCodeCrypto.hash_string(password)
PEP8ify
r1246
Fixed Windows installation based on work of Mantis406 fork: "Replace py-bcrypt to make Windows installation easier"...
r1118 def check_password(password, hashed):
return RhodeCodeCrypto.hash_check(password, hashed)
renamed project to rhodecode
r547
#344 optional firstname lastname on user creation...
r1950
Some code cleanups and fixes
r1628 def generate_api_key(str_, salt=None):
"""
Generates API KEY from given string
auto white-space removal
r1818
Some code cleanups and fixes
r1628 :param str_:
:param salt:
"""
reduce cookie size for better support of client side sessions
r1718
Added api_key into user, api key get's generated again after password change...
r1116 if salt is None:
salt = _RandomNameSequence().next()
Some code cleanups and fixes
r1628 return hashlib.sha1(str_ + salt).hexdigest()
Added api_key into user, api key get's generated again after password change...
r1116
PEP8ify
r1246
renamed project to rhodecode
r547 def authfunc(environ, username, password):
Some code cleanups and fixes
r1628 """
auto white-space removal
r1818 Dummy authentication wrapper function used in Mercurial and Git for
typo fixes
r1644 access control.
source code cleanup: remove trailing white space, normalize file endings
r1203
ldap auth rewrite, moved split authfunc into two functions,...
r761 :param environ: needed only for using in Basic auth
"""
return authenticate(username, password)
def authenticate(username, password):
Some code cleanups and fixes
r1628 """
Authentication function used for access control,
Code refactor for auth func, preparing for ldap support...
r699 firstly checks for db authentication then if ldap is enabled for ldap
implements #60, ldap configuration and authentication....
r705 authentication, also creates ldap user if not in database
source code cleanup: remove trailing white space, normalize file endings
r1203
Code refactor for auth func, preparing for ldap support...
r699 :param username: username
:param password: password
"""
added some fixes to LDAP form re-submition, new simples ldap-settings getter....
r1292
implements #60, ldap configuration and authentication....
r705 user_model = UserModel()
Refactoring of model get functions
r1530 user = User.get_by_username(username)
Code refactor for auth func, preparing for ldap support...
r699
ldap auth rewrite, moved split authfunc into two functions,...
r761 log.debug('Authenticating user using RhodeCode account')
Thayne Harbaugh
Improve LDAP authentication...
r991 if user is not None and not user.ldap_dn:
renamed project to rhodecode
r547 if user.active:
#49 Enabled anonymous access push and pull commands
r674 if user.username == 'default' and user.active:
more work on improving info logging
r2025 log.info('user %s authenticated correctly as anonymous user' %
ldap auth rewrite, moved split authfunc into two functions,...
r761 username)
#49 Enabled anonymous access push and pull commands
r674 return True
PEP8ify
r1246 elif user.username == username and check_password(password,
user.password):
garden...
r1976 log.info('user %s authenticated correctly' % username)
renamed project to rhodecode
r547 return True
else:
more work on improving info logging
r2025 log.warning('user %s tried auth but is disabled' % username)
implements #60, ldap configuration and authentication....
r705
else:
ldap auth rewrite, moved split authfunc into two functions,...
r761 log.debug('Regular authentication failed')
Refactoring of model get functions
r1530 user_obj = User.get_by_username(username, case_insensitive=True)
ldap auth rewrite, moved split authfunc into two functions,...
r761
Thayne Harbaugh
Improve LDAP authentication...
r991 if user_obj is not None and not user_obj.ldap_dn:
added debug message for ldap auth
r749 log.debug('this user already exists as non ldap')
fixed ldap issue and small template fix
r748 return False
refactoring of models names for repoGroup permissions
r1633 ldap_settings = RhodeCodeSetting.get_ldap_settings()
implements #60, ldap configuration and authentication....
r705 #======================================================================
source code cleanup: remove trailing white space, normalize file endings
r1203 # FALLBACK TO LDAP AUTH IF ENABLE
implements #60, ldap configuration and authentication....
r705 #======================================================================
fixed some config bool converter problems with ldap
r1135 if str2bool(ldap_settings.get('ldap_active')):
ldap auth rewrite, moved split authfunc into two functions,...
r761 log.debug("Authenticating user using ldap")
implements #60, ldap configuration and authentication....
r705 kwargs = {
PEP8ify
r1246 'server': ldap_settings.get('ldap_host', ''),
'base_dn': ldap_settings.get('ldap_base_dn', ''),
'port': ldap_settings.get('ldap_port'),
'bind_dn': ldap_settings.get('ldap_dn_user'),
'bind_pass': ldap_settings.get('ldap_dn_pass'),
"Lorenzo M. Catucci"
Enable start_tls connection encryption.
r1290 'tls_kind': ldap_settings.get('ldap_tls_kind'),
PEP8ify
r1246 'tls_reqcert': ldap_settings.get('ldap_tls_reqcert'),
'ldap_filter': ldap_settings.get('ldap_filter'),
'search_scope': ldap_settings.get('ldap_search_scope'),
'attr_login': ldap_settings.get('ldap_attr_login'),
'ldap_version': 3,
implements #60, ldap configuration and authentication....
r705 }
log.debug('Checking for ldap authentication')
try:
aldap = AuthLdap(**kwargs)
PEP8ify
r1246 (user_dn, ldap_attrs) = aldap.authenticate_ldap(username,
password)
garden...
r1976 log.debug('Got ldap DN response %s' % user_dn)
implements #60, ldap configuration and authentication....
r705
pep8ify
r1307 get_ldap_attr = lambda k: ldap_attrs.get(ldap_settings\
added some fixes to LDAP form re-submition, new simples ldap-settings getter....
r1292 .get(k), [''])[0]
Thayne Harbaugh
Improve LDAP authentication...
r991 user_attrs = {
fixes #173, many thanks for slestak for contributing into this one.
r1425 'name': safe_unicode(get_ldap_attr('ldap_attr_firstname')),
'lastname': safe_unicode(get_ldap_attr('ldap_attr_lastname')),
'email': get_ldap_attr('ldap_attr_email'),
fixes #762, LDAP and container created users are now activated based on...
r3370 'active': 'hg.register.auto_activate' in User\
.get_by_username('default').AuthUser.permissions['global']
fixes #173, many thanks for slestak for contributing into this one.
r1425 }
added migrations from 1.2.X to 1.3
r2000
# don't store LDAP password since we don't need it. Override
#355 replaced stored LDAP password with some random generated one
r1992 # with some random generated password
_password = PasswordGenerator().gen_password(length=8)
# create this user on the fly if it doesn't exist in rhodecode
# database
if user_model.create_ldap(username, _password, user_dn,
PEP8ify
r1246 user_attrs):
garden...
r1976 log.info('created new ldap user %s' % username)
auto white-space removal
r1818
Deprecated validation of operating system, we just care if it's windows, let approve all other...
r2634 Session().commit()
ldap auth rewrite, moved split authfunc into two functions,...
r761 return True
Mads Kiilerich
ldap: handle more elegantly that python-ldap isn't installed when trying to use ldap...
r3632 except (LdapUsernameError, LdapPasswordError, LdapImportError):
ldap auth rewrite, moved split authfunc into two functions,...
r761 pass
except (Exception,):
implements #60, ldap configuration and authentication....
r705 log.error(traceback.format_exc())
ldap auth rewrite, moved split authfunc into two functions,...
r761 pass
renamed project to rhodecode
r547 return False
#344 optional firstname lastname on user creation...
r1950
Liad Shani
Added basic automatic user creation for container auth
r1621 def login_container_auth(username):
user = User.get_by_username(username)
if user is None:
user_attrs = {
Some code cleanups and fixes
r1628 'name': username,
'lastname': None,
'email': None,
fixes #762, LDAP and container created users are now activated based on...
r3370 'active': 'hg.register.auto_activate' in User\
.get_by_username('default').AuthUser.permissions['global']
Some code cleanups and fixes
r1628 }
commit less models...
r1749 user = UserModel().create_for_container_auth(username, user_attrs)
Some code cleanups and fixes
r1628 if not user:
Liad Shani
Added basic automatic user creation for container auth
r1621 return None
garden...
r1976 log.info('User %s was created by container authentication' % username)
Liad Shani
Added basic automatic user creation for container auth
r1621
if not user.active:
return None
user.update_lastlogin()
Deprecated validation of operating system, we just care if it's windows, let approve all other...
r2634 Session().commit()
auto white-space removal
r1818
reduce cookie size for better support of client side sessions
r1718 log.debug('User %s is now logged in by container authentication',
Some code cleanups and fixes
r1628 user.username)
Liad Shani
Added basic automatic user creation for container auth
r1621 return user
#344 optional firstname lastname on user creation...
r1950
adde cleanup username flag into get_container_username function
r3173 def get_container_username(environ, config, clean_username=False):
"""
Get's the container_auth username (or email). It tries to get username
from REMOTE_USER if container_auth_enabled is enabled, if that fails
it tries to get username from HTTP_X_FORWARDED_USER if proxypass_auth_enabled
is enabled. clean_username extracts the username from this data if it's
having @ in it.
:param environ:
:param config:
:param clean_username:
"""
Liad Shani
Improved container-based auth support for middleware
r1630 username = None
Liad Shani
Added basic automatic user creation for container auth
r1621
Liad Shani
Improved container-based auth support for middleware
r1630 if str2bool(config.get('container_auth_enabled', False)):
from paste.httpheaders import REMOTE_USER
username = REMOTE_USER(environ)
added some more logging into get_container_username function
r3172 log.debug('extracted REMOTE_USER:%s' % (username))
Liad Shani
Improved container-based auth support for middleware
r1630
if not username and str2bool(config.get('proxypass_auth_enabled', False)):
Liad Shani
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
r1617 username = environ.get('HTTP_X_FORWARDED_USER')
added some more logging into get_container_username function
r3172 log.debug('extracted HTTP_X_FORWARDED_USER:%s' % (username))
Liad Shani
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
r1617
adde cleanup username flag into get_container_username function
r3173 if username and clean_username:
Some code cleanups and fixes
r1628 # Removing realm and domain from username
Liad Shani
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
r1617 username = username.partition('@')[0]
username = username.rpartition('\\')[2]
added some more logging into get_container_username function
r3172 log.debug('Received username %s from container' % username)
Liad Shani
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
r1617
return username
PEP8ify
r1246
#344 optional firstname lastname on user creation...
r1950
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability...
r2030 class CookieStoreWrapper(object):
def __init__(self, cookie_store):
self.cookie_store = cookie_store
def __repr__(self):
return 'CookieStore<%s>' % (self.cookie_store)
def get(self, key, other=None):
if isinstance(self.cookie_store, dict):
return self.cookie_store.get(key, other)
elif isinstance(self.cookie_store, AuthUser):
return self.cookie_store.__dict__.get(key, other)
renamed project to rhodecode
r547 class AuthUser(object):
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117 """
A simple object that handles all attributes of user in RhodeCode
source code cleanup: remove trailing white space, normalize file endings
r1203
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117 It does lookup based on API key,given user, or user present in session
source code cleanup: remove trailing white space, normalize file endings
r1203 Then it fills all required information for such user. It also checks if
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117 anonymous access is enabled and if so, it returns default user as logged
in
renamed project to rhodecode
r547 """
#56 added propagation of permission from group
r1016
Added UserIpMap interface for allowed IP addresses and IP restriction access...
r3125 def __init__(self, user_id=None, api_key=None, username=None, ip_addr=None):
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117
self.user_id = user_id
fixed some bugs in api key auth, added access by api key into rss/atom feeds in global journal...
r1120 self.api_key = None
Liad Shani
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
r1617 self.username = username
Added UserIpMap interface for allowed IP addresses and IP restriction access...
r3125 self.ip_addr = ip_addr
Some code cleanups and fixes
r1628
renamed project to rhodecode
r547 self.name = ''
self.lastname = ''
self.email = ''
self.is_authenticated = False
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117 self.admin = False
fixed error when disabled anonymous access lead to error on server
r2714 self.inherit_default_permissions = False
renamed project to rhodecode
r547 self.permissions = {}
fixed some bugs in api key auth, added access by api key into rss/atom feeds in global journal...
r1120 self._api_key = api_key
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117 self.propagate_data()
#344 optional firstname lastname on user creation...
r1950 self._instance = None
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117
def propagate_data(self):
user_model = UserModel()
- fixes celery sqlalchemy session issues for async forking...
r1728 self.anonymous_user = User.get_by_username('default', cache=True)
Liad Shani
Added container-based authentication support
r1613 is_user_loaded = False
reduce cookie size for better support of client side sessions
r1718
Some code cleanups and fixes
r1628 # try go get user by api key
disabled api key for anonymous users, and added api_key to rss/atom links for other users
r1122 if self._api_key and self._api_key != self.anonymous_user.api_key:
garden...
r1976 log.debug('Auth User lookup by API KEY %s' % self._api_key)
Liad Shani
Added automatic logout of deactivated/deleted users
r1618 is_user_loaded = user_model.fill_data(self, api_key=self._api_key)
auto white-space removal
r1818 # lookup by userid
reduce cookie size for better support of client side sessions
r1718 elif (self.user_id is not None and
Some code cleanups and fixes
r1628 self.user_id != self.anonymous_user.user_id):
garden...
r1976 log.debug('Auth User lookup by USER ID %s' % self.user_id)
Liad Shani
Added automatic logout of deactivated/deleted users
r1618 is_user_loaded = user_model.fill_data(self, user_id=self.user_id)
fix issue #323 auth by suername only if container auth is enabled
r1808 # lookup by username
elif self.username and \
str2bool(config.get('container_auth_enabled', False)):
auto white-space removal
r1818
garden...
r1976 log.debug('Auth User lookup by USER NAME %s' % self.username)
Liad Shani
Added basic automatic user creation for container auth
r1621 dbuser = login_container_auth(self.username)
if dbuser is not None:
RhodeCode now has a option to explicitly set forking permissions. ref #508...
r2709 log.debug('filling all attributes to object')
Liad Shani
Added container-based authentication support
r1613 for k, v in dbuser.get_dict().items():
setattr(self, k, v)
self.set_authenticated()
is_user_loaded = True
fixed issue with sessions that lead to redirection loops
r2045 else:
log.debug('No data in %s that could been used to log in' % self)
Liad Shani
Added container-based authentication support
r1613
if not is_user_loaded:
Some code cleanups and fixes
r1628 # if we cannot authenticate user try anonymous
Mads Kiilerich
follow Python conventions for boolean values...
r3625 if self.anonymous_user.active:
reduce cookie size for better support of client side sessions
r1718 user_model.fill_data(self, user_id=self.anonymous_user.user_id)
Some code cleanups and fixes
r1628 # then we set this user is logged in
Liad Shani
Added container-based authentication support
r1613 self.is_authenticated = True
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117 else:
Liad Shani
Added automatic logout of deactivated/deleted users
r1618 self.user_id = None
self.username = None
Liad Shani
Added container-based authentication support
r1613 self.is_authenticated = False
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117
Liad Shani
Improved container-based auth implementation and added support for a reverse-proxy setup (using the X-Forwarded-User header)
r1617 if not self.username:
self.username = 'None'
garden...
r1976 log.debug('Auth User is now %s' % self)
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117 user_model.fill_perms(self)
@property
def is_admin(self):
return self.admin
renamed project to rhodecode
r547
Full IP restrictions enabled...
r3146 @property
Show admin dropdown for users who are admin of repo groups
r3371 def repos_admin(self):
"""
Returns list of repositories you're an admin of
"""
return [x[0] for x in self.permissions['repositories'].iteritems()
if x[1] == 'repository.admin']
@property
def groups_admin(self):
"""
fixed tests and missing replacements from 5f1850e4712a
r3415 Returns list of repository groups you're an admin of
Show admin dropdown for users who are admin of repo groups
r3371 """
return [x[0] for x in self.permissions['repositories_groups'].iteritems()
if x[1] == 'group.admin']
@property
Full IP restrictions enabled...
r3146 def ip_allowed(self):
"""
Checks if ip_addr used in constructor is allowed from defined list of
allowed ip_addresses for user
:returns: boolean, True if ip is in allowed ip range
"""
#check IP
allowed_ips = AuthUser.get_allowed_ips(self.user_id, cache=True)
if check_ip_access(source_ip=self.ip_addr, allowed_ips=allowed_ips):
log.debug('IP:%s is in range of %s' % (self.ip_addr, allowed_ips))
return True
else:
log.info('Access for IP:%s forbidden, '
'not in %s' % (self.ip_addr, allowed_ips))
return False
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673 def __repr__(self):
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117 return "<AuthUser('id:%s:%s|%s')>" % (self.user_id, self.username,
self.is_authenticated)
def set_authenticated(self, authenticated=True):
if self.user_id != self.anonymous_user.user_id:
self.is_authenticated = authenticated
reduce cookie size for better support of client side sessions
r1718 def get_cookie_store(self):
#344 optional firstname lastname on user creation...
r1950 return {'username': self.username,
reduce cookie size for better support of client side sessions
r1718 'user_id': self.user_id,
#344 optional firstname lastname on user creation...
r1950 'is_authenticated': self.is_authenticated}
reduce cookie size for better support of client side sessions
r1718
@classmethod
def from_cookie_store(cls, cookie_store):
Added session wrapper, for rc 1.2.X compatibility. Adds backwards compatability...
r2030 """
Creates AuthUser from a cookie store
:param cls:
:param cookie_store:
"""
reduce cookie size for better support of client side sessions
r1718 user_id = cookie_store.get('user_id')
username = cookie_store.get('username')
api_key = cookie_store.get('api_key')
return AuthUser(user_id, api_key, username)
renamed project to rhodecode
r547
Added UserIpMap interface for allowed IP addresses and IP restriction access...
r3125 @classmethod
Full IP restrictions enabled...
r3146 def get_allowed_ips(cls, user_id, cache=False):
Added UserIpMap interface for allowed IP addresses and IP restriction access...
r3125 _set = set()
Full IP restrictions enabled...
r3146 user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id)
if cache:
user_ips = user_ips.options(FromCache("sql_cache_short",
"get_user_ips_%s" % user_id))
Added UserIpMap interface for allowed IP addresses and IP restriction access...
r3125 for ip in user_ips:
IP restrictions now also enabled for IPv6
r3212 try:
_set.add(ip.ip_addr)
except ObjectDeletedError:
# since we use heavy caching sometimes it happens that we get
# deleted objects here, we just skip them
pass
return _set or set(['0.0.0.0/0', '::/0'])
Added UserIpMap interface for allowed IP addresses and IP restriction access...
r3125
#344 optional firstname lastname on user creation...
r1950
renamed project to rhodecode
r547 def set_available_permissions(config):
Some code cleanups and fixes
r1628 """
This function will propagate pylons globals with all available defined
source code cleanup: remove trailing white space, normalize file endings
r1203 permission given in db. We don't want to check each time from db for new
renamed project to rhodecode
r547 permissions since adding a new permission also requires application restart
ie. to decorate new views with the newly created permission
source code cleanup: remove trailing white space, normalize file endings
r1203
Added some more details into user edit permissions view
r895 :param config: current pylons config instance
source code cleanup: remove trailing white space, normalize file endings
r1203
renamed project to rhodecode
r547 """
log.info('getting information about all available permissions')
try:
commit less models...
r1749 sa = meta.Session
renamed project to rhodecode
r547 all_perms = sa.query(Permission).all()
#344 optional firstname lastname on user creation...
r1950 except Exception:
Code refactoring,models renames...
r629 pass
renamed project to rhodecode
r547 finally:
meta.Session.remove()
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673
renamed project to rhodecode
r547 config['available_permissions'] = [x.permission_name for x in all_perms]
PEP8ify
r1246
#==============================================================================
renamed project to rhodecode
r547 # CHECK DECORATORS
PEP8ify
r1246 #==============================================================================
renamed project to rhodecode
r547 class LoginRequired(object):
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117 """
source code cleanup: remove trailing white space, normalize file endings
r1203 Must be logged in to execute this function else
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117 redirect to login page
source code cleanup: remove trailing white space, normalize file endings
r1203
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117 :param api_access: if enabled this checks only for valid auth token
and grants access based on valid token
"""
def __init__(self, api_access=False):
self.api_access = api_access
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673
renamed project to rhodecode
r547 def __call__(self, func):
return decorator(self.__wrapper, func)
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673
renamed project to rhodecode
r547 def __wrapper(self, func, *fargs, **fkwargs):
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117 cls = fargs[0]
user = cls.rhodecode_user
Full IP restrictions enabled...
r3146 loc = "%s:%s" % (cls.__class__.__name__, func.__name__)
#check IP
ip_access_ok = True
if not user.ip_allowed:
from rhodecode.lib import helpers as h
h.flash(h.literal(_('IP %s not allowed' % (user.ip_addr))),
category='warning')
ip_access_ok = False
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117
api_access_ok = False
if self.api_access:
garden...
r1976 log.debug('Checking API KEY access for %s' % cls)
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117 if user.api_key == request.GET.get('api_key'):
api_access_ok = True
else:
log.debug("API KEY token not valid")
Full IP restrictions enabled...
r3146
more work on improving info logging
r2025 log.debug('Checking if %s is authenticated @ %s' % (user.username, loc))
Full IP restrictions enabled...
r3146 if (user.is_authenticated or api_access_ok) and ip_access_ok:
Little more verbose logging for auth
r2458 reason = 'RegularAuth' if user.is_authenticated else 'APIAuth'
log.info('user %s is authenticated and granted access to %s '
'using %s' % (user.username, loc, reason)
more work on improving info logging
r2025 )
renamed project to rhodecode
r547 return func(*fargs, **fkwargs)
else:
more work on improving info logging
r2025 log.warn('user %s NOT authenticated on func: %s' % (
user, loc)
)
changed the way of generating url for came_from
r1207 p = url.current()
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673
garden...
r1976 log.debug('redirecting to login page with %s' % p)
renamed project to rhodecode
r547 return redirect(url('login_home', came_from=p))
PEP8ify
r1246
Added isanonymous decorator for checking permissions for anonymous access
r779 class NotAnonymous(object):
notification to commit author + gardening
r1716 """
Must be logged in to execute this function else
Added isanonymous decorator for checking permissions for anonymous access
r779 redirect to login page"""
def __call__(self, func):
return decorator(self.__wrapper, func)
def __wrapper(self, func, *fargs, **fkwargs):
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117 cls = fargs[0]
self.user = cls.rhodecode_user
Added isanonymous decorator for checking permissions for anonymous access
r779
garden...
r1976 log.debug('Checking if user is not anonymous @%s' % cls)
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117
anonymous = self.user.username == 'default'
Added isanonymous decorator for checking permissions for anonymous access
r779
if anonymous:
fixed redirection link in notAnonymous decorator
r1335 p = url.current()
#113 removed anonymous access from forking, added system messages in login box.
r1056
import rhodecode.lib.helpers as h
PEP8ify
r1246 h.flash(_('You need to be a registered user to '
'perform this action'),
#113 removed anonymous access from forking, added system messages in login box.
r1056 category='warning')
Added isanonymous decorator for checking permissions for anonymous access
r779 return redirect(url('login_home', came_from=p))
else:
return func(*fargs, **fkwargs)
PEP8ify
r1246
renamed project to rhodecode
r547 class PermsDecorator(object):
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117 """Base class for controller decorators"""
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673
renamed project to rhodecode
r547 def __init__(self, *required_perms):
available_perms = config['available_permissions']
for perm in required_perms:
if perm not in available_perms:
raise Exception("'%s' permission is not defined" % perm)
self.required_perms = set(required_perms)
self.user_perms = None
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673
renamed project to rhodecode
r547 def __call__(self, func):
return decorator(self.__wrapper, func)
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673
renamed project to rhodecode
r547 def __wrapper(self, func, *fargs, **fkwargs):
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117 cls = fargs[0]
self.user = cls.rhodecode_user
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673 self.user_perms = self.user.permissions
log.debug('checking %s permissions %s for %s %s',
more detailed logging on auth system...
r2125 self.__class__.__name__, self.required_perms, cls, self.user)
renamed project to rhodecode
r547
if self.check_permissions():
garden...
r1976 log.debug('Permission granted for %s %s' % (cls, self.user))
renamed project to rhodecode
r547 return func(*fargs, **fkwargs)
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673
renamed project to rhodecode
r547 else:
more work on improving info logging
r2025 log.debug('Permission denied for %s %s' % (cls, self.user))
Do a redirect to login for anonymous users
r1336 anonymous = self.user.username == 'default'
if anonymous:
p = url.current()
import rhodecode.lib.helpers as h
h.flash(_('You need to be a signed in to '
'view this page'),
category='warning')
return redirect(url('login_home', came_from=p))
else:
Some code cleanups and fixes
r1628 # redirect with forbidden ret code
Do a redirect to login for anonymous users
r1336 return abort(403)
renamed project to rhodecode
r547
def check_permissions(self):
"""Dummy function for overriding"""
raise Exception('You have to write this function in child class')
PEP8ify
r1246
renamed project to rhodecode
r547 class HasPermissionAllDecorator(PermsDecorator):
notification to commit author + gardening
r1716 """
Checks for access permission for all given predicates. All of them
renamed project to rhodecode
r547 have to be meet in order to fulfill the request
"""
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673
renamed project to rhodecode
r547 def check_permissions(self):
if self.required_perms.issubset(self.user_perms.get('global')):
return True
return False
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673
renamed project to rhodecode
r547
class HasPermissionAnyDecorator(PermsDecorator):
notification to commit author + gardening
r1716 """
Checks for access permission for any of given predicates. In order to
renamed project to rhodecode
r547 fulfill the request any of predicates must be meet
"""
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673
renamed project to rhodecode
r547 def check_permissions(self):
if self.required_perms.intersection(self.user_perms.get('global')):
return True
return False
PEP8ify
r1246
renamed project to rhodecode
r547 class HasRepoPermissionAllDecorator(PermsDecorator):
notification to commit author + gardening
r1716 """
Checks for access permission for all given predicates for specific
renamed project to rhodecode
r547 repository. All of them have to be meet in order to fulfill the request
"""
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673
renamed project to rhodecode
r547 def check_permissions(self):
repo_name = get_repo_slug(request)
try:
user_perms = set([self.user_perms['repositories'][repo_name]])
except KeyError:
return False
if self.required_perms.issubset(user_perms):
return True
return False
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673
renamed project to rhodecode
r547
class HasRepoPermissionAnyDecorator(PermsDecorator):
notification to commit author + gardening
r1716 """
Checks for access permission for any of given predicates for specific
renamed project to rhodecode
r547 repository. In order to fulfill the request any of predicates must be meet
"""
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673
renamed project to rhodecode
r547 def check_permissions(self):
repo_name = get_repo_slug(request)
try:
user_perms = set([self.user_perms['repositories'][repo_name]])
except KeyError:
return False
more detailed logging on auth system...
r2125
renamed project to rhodecode
r547 if self.required_perms.intersection(user_perms):
return True
return False
PEP8ify
r1246
#227 Initial version of repository groups permissions system...
r1982 class HasReposGroupPermissionAllDecorator(PermsDecorator):
"""
Checks for access permission for all given predicates for specific
repository. All of them have to be meet in order to fulfill the request
"""
def check_permissions(self):
group_name = get_repos_group_slug(request)
try:
user_perms = set([self.user_perms['repositories_groups'][group_name]])
except KeyError:
return False
Group management delegation:...
r3222
#227 Initial version of repository groups permissions system...
r1982 if self.required_perms.issubset(user_perms):
return True
return False
class HasReposGroupPermissionAnyDecorator(PermsDecorator):
"""
Checks for access permission for any of given predicates for specific
repository. In order to fulfill the request any of predicates must be meet
"""
def check_permissions(self):
group_name = get_repos_group_slug(request)
try:
user_perms = set([self.user_perms['repositories_groups'][group_name]])
except KeyError:
return False
Group management delegation:...
r3222
#227 Initial version of repository groups permissions system...
r1982 if self.required_perms.intersection(user_perms):
return True
return False
PEP8ify
r1246 #==============================================================================
renamed project to rhodecode
r547 # CHECK FUNCTIONS
PEP8ify
r1246 #==============================================================================
renamed project to rhodecode
r547 class PermsFunction(object):
"""Base function for other check functions"""
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673
renamed project to rhodecode
r547 def __init__(self, *perms):
available_perms = config['available_permissions']
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673
renamed project to rhodecode
r547 for perm in perms:
if perm not in available_perms:
added initial rc-extension module...
r2105 raise Exception("'%s' permission is not defined" % perm)
renamed project to rhodecode
r547 self.required_perms = set(perms)
self.user_perms = None
self.repo_name = None
more detailed logging on auth system...
r2125 self.group_name = None
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673
refactor check_Location => check_location
r3313 def __call__(self, check_location=''):
#TODO: put user as attribute here
- fixes celery sqlalchemy session issues for async forking...
r1728 user = request.user
more detailed logging on auth system...
r2125 cls_name = self.__class__.__name__
check_scope = {
'HasPermissionAll': '',
'HasPermissionAny': '',
'HasRepoPermissionAll': 'repo:%s' % self.repo_name,
'HasRepoPermissionAny': 'repo:%s' % self.repo_name,
'HasReposGroupPermissionAll': 'group:%s' % self.group_name,
'HasReposGroupPermissionAny': 'group:%s' % self.group_name,
}.get(cls_name, '?')
log.debug('checking cls:%s %s usr:%s %s @ %s', cls_name,
self.required_perms, user, check_scope,
refactor check_Location => check_location
r3313 check_location or 'unspecified location')
renamed project to rhodecode
r547 if not user:
fixed issue with sessions that lead to redirection loops
r2045 log.debug('Empty request user')
renamed project to rhodecode
r547 return False
self.user_perms = user.permissions
if self.check_permissions():
Mads Kiilerich
logging: include more info in grant/deny log entries...
r3137 log.debug('Permission to %s granted for user: %s @ %s', self.repo_name, user,
refactor check_Location => check_location
r3313 check_location or 'unspecified location')
renamed project to rhodecode
r547 return True
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673
renamed project to rhodecode
r547 else:
Mads Kiilerich
logging: include more info in grant/deny log entries...
r3137 log.debug('Permission to %s denied for user: %s @ %s', self.repo_name, user,
refactor check_Location => check_location
r3313 check_location or 'unspecified location')
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673 return False
renamed project to rhodecode
r547 def check_permissions(self):
"""Dummy function for overriding"""
raise Exception('You have to write this function in child class')
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673
PEP8ify
r1246
renamed project to rhodecode
r547 class HasPermissionAll(PermsFunction):
def check_permissions(self):
if self.required_perms.issubset(self.user_perms.get('global')):
return True
return False
PEP8ify
r1246
renamed project to rhodecode
r547 class HasPermissionAny(PermsFunction):
def check_permissions(self):
if self.required_perms.intersection(self.user_perms.get('global')):
return True
return False
PEP8ify
r1246
renamed project to rhodecode
r547 class HasRepoPermissionAll(PermsFunction):
refactor check_Location => check_location
r3313 def __call__(self, repo_name=None, check_location=''):
renamed project to rhodecode
r547 self.repo_name = repo_name
refactor check_Location => check_location
r3313 return super(HasRepoPermissionAll, self).__call__(check_location)
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673
renamed project to rhodecode
r547 def check_permissions(self):
if not self.repo_name:
self.repo_name = get_repo_slug(request)
try:
more detailed logging on auth system...
r2125 self._user_perms = set(
#227 Initial version of repository groups permissions system...
r1982 [self.user_perms['repositories'][self.repo_name]]
)
renamed project to rhodecode
r547 except KeyError:
return False
more detailed logging on auth system...
r2125 if self.required_perms.issubset(self._user_perms):
renamed project to rhodecode
r547 return True
return False
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673
PEP8ify
r1246
renamed project to rhodecode
r547 class HasRepoPermissionAny(PermsFunction):
refactor check_Location => check_location
r3313 def __call__(self, repo_name=None, check_location=''):
renamed project to rhodecode
r547 self.repo_name = repo_name
refactor check_Location => check_location
r3313 return super(HasRepoPermissionAny, self).__call__(check_location)
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673
renamed project to rhodecode
r547 def check_permissions(self):
if not self.repo_name:
self.repo_name = get_repo_slug(request)
try:
more detailed logging on auth system...
r2125 self._user_perms = set(
#227 Initial version of repository groups permissions system...
r1982 [self.user_perms['repositories'][self.repo_name]]
)
renamed project to rhodecode
r547 except KeyError:
return False
more detailed logging on auth system...
r2125 if self.required_perms.intersection(self._user_perms):
renamed project to rhodecode
r547 return True
return False
PEP8ify
r1246
#227 Initial version of repository groups permissions system...
r1982 class HasReposGroupPermissionAny(PermsFunction):
refactor check_Location => check_location
r3313 def __call__(self, group_name=None, check_location=''):
#227 Initial version of repository groups permissions system...
r1982 self.group_name = group_name
refactor check_Location => check_location
r3313 return super(HasReposGroupPermissionAny, self).__call__(check_location)
#227 Initial version of repository groups permissions system...
r1982
def check_permissions(self):
try:
more detailed logging on auth system...
r2125 self._user_perms = set(
#227 Initial version of repository groups permissions system...
r1982 [self.user_perms['repositories_groups'][self.group_name]]
)
except KeyError:
return False
more detailed logging on auth system...
r2125 if self.required_perms.intersection(self._user_perms):
#227 Initial version of repository groups permissions system...
r1982 return True
return False
class HasReposGroupPermissionAll(PermsFunction):
refactor check_Location => check_location
r3313 def __call__(self, group_name=None, check_location=''):
#227 Initial version of repository groups permissions system...
r1982 self.group_name = group_name
refactor check_Location => check_location
r3313 return super(HasReposGroupPermissionAll, self).__call__(check_location)
#227 Initial version of repository groups permissions system...
r1982
def check_permissions(self):
try:
more detailed logging on auth system...
r2125 self._user_perms = set(
#227 Initial version of repository groups permissions system...
r1982 [self.user_perms['repositories_groups'][self.group_name]]
)
except KeyError:
return False
more detailed logging on auth system...
r2125 if self.required_perms.issubset(self._user_perms):
#227 Initial version of repository groups permissions system...
r1982 return True
return False
PEP8ify
r1246 #==============================================================================
renamed project to rhodecode
r547 # SPECIAL VERSION TO HANDLE MIDDLEWARE AUTH
PEP8ify
r1246 #==============================================================================
renamed project to rhodecode
r547 class HasPermissionAnyMiddleware(object):
def __init__(self, *perms):
self.required_perms = set(perms)
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673
renamed project to rhodecode
r547 def __call__(self, user, repo_name):
fixed some unicode problems with waitress...
r2100 # repo_name MUST be unicode, since we handle keys in permission
# dict by unicode
repo_name = safe_unicode(repo_name)
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117 usr = AuthUser(user.user_id)
renamed project to rhodecode
r547 try:
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117 self.user_perms = set([usr.permissions['repositories'][repo_name]])
fixed some unicode problems with waitress...
r2100 except Exception:
utils/conf...
r2109 log.error('Exception while accessing permissions %s' %
fixed some unicode problems with waitress...
r2100 traceback.format_exc())
renamed project to rhodecode
r547 self.user_perms = set()
self.username = user.username
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673 self.repo_name = repo_name
renamed project to rhodecode
r547 return self.check_permissions()
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673
renamed project to rhodecode
r547 def check_permissions(self):
Implemented basic locking functionality....
r2726 log.debug('checking VCS protocol '
fixes fixes fixes ! optimized queries on journal...
r1040 'permissions %s for user:%s repository:%s', self.user_perms,
renamed project to rhodecode
r547 self.username, self.repo_name)
if self.required_perms.intersection(self.user_perms):
more detailed logging on auth system...
r2125 log.debug('permission granted for user:%s on repo:%s' % (
self.username, self.repo_name
)
)
renamed project to rhodecode
r547 return True
more detailed logging on auth system...
r2125 log.debug('permission denied for user:%s on repo:%s' % (
self.username, self.repo_name
)
)
renamed project to rhodecode
r547 return False
Added UserIpMap interface for allowed IP addresses and IP restriction access...
r3125
Implemented API calls for non-admin users for locking/unlocking repositories
r3161 #==============================================================================
# SPECIAL VERSION TO HANDLE API AUTH
#==============================================================================
class _BaseApiPerm(object):
def __init__(self, *perms):
self.required_perms = set(perms)
def __call__(self, check_location='unspecified', user=None, repo_name=None):
cls_name = self.__class__.__name__
check_scope = 'user:%s, repo:%s' % (user, repo_name)
log.debug('checking cls:%s %s %s @ %s', cls_name,
self.required_perms, check_scope, check_location)
if not user:
log.debug('Empty User passed into arguments')
return False
## process user
if not isinstance(user, AuthUser):
user = AuthUser(user.user_id)
if self.check_permissions(user.permissions, repo_name):
log.debug('Permission to %s granted for user: %s @ %s', repo_name,
user, check_location)
return True
else:
log.debug('Permission to %s denied for user: %s @ %s', repo_name,
user, check_location)
return False
def check_permissions(self, perm_defs, repo_name):
"""
implement in child class should return True if permissions are ok,
False otherwise
:param perm_defs: dict with permission definitions
:param repo_name: repo name
"""
raise NotImplementedError()
class HasPermissionAllApi(_BaseApiPerm):
def __call__(self, user, check_location=''):
return super(HasPermissionAllApi, self)\
.__call__(check_location=check_location, user=user)
def check_permissions(self, perm_defs, repo):
if self.required_perms.issubset(perm_defs.get('global')):
return True
return False
class HasPermissionAnyApi(_BaseApiPerm):
def __call__(self, user, check_location=''):
return super(HasPermissionAnyApi, self)\
.__call__(check_location=check_location, user=user)
def check_permissions(self, perm_defs, repo):
if self.required_perms.intersection(perm_defs.get('global')):
return True
return False
class HasRepoPermissionAllApi(_BaseApiPerm):
def __call__(self, user, repo_name, check_location=''):
return super(HasRepoPermissionAllApi, self)\
.__call__(check_location=check_location, user=user,
repo_name=repo_name)
def check_permissions(self, perm_defs, repo_name):
try:
self._user_perms = set(
[perm_defs['repositories'][repo_name]]
)
except KeyError:
log.warning(traceback.format_exc())
return False
if self.required_perms.issubset(self._user_perms):
return True
return False
class HasRepoPermissionAnyApi(_BaseApiPerm):
def __call__(self, user, repo_name, check_location=''):
return super(HasRepoPermissionAnyApi, self)\
.__call__(check_location=check_location, user=user,
repo_name=repo_name)
def check_permissions(self, perm_defs, repo_name):
try:
_user_perms = set(
[perm_defs['repositories'][repo_name]]
)
except KeyError:
log.warning(traceback.format_exc())
return False
if self.required_perms.intersection(_user_perms):
return True
return False
Added UserIpMap interface for allowed IP addresses and IP restriction access...
r3125 def check_ip_access(source_ip, allowed_ips=None):
"""
Checks if source_ip is a subnet of any of allowed_ips.
:param source_ip:
:param allowed_ips: list of allowed ips together with mask
"""
from rhodecode.lib import ipaddr
log.debug('checking if ip:%s is subnet of %s' % (source_ip, allowed_ips))
if isinstance(allowed_ips, (tuple, list, set)):
for ip in allowed_ips:
IP restrictions now also enabled for IPv6
r3212 try:
if ipaddr.IPAddress(source_ip) in ipaddr.IPNetwork(ip):
return True
# for any case we cannot determine the IP, don't crash just
# skip it and log as error, we want to say forbidden still when
# sending bad IP
except Exception:
log.error(traceback.format_exc())
continue
Added UserIpMap interface for allowed IP addresses and IP restriction access...
r3125 return False