Show More
| @@ -41,11 +41,18 b' from rhodecode.lib.auth_ldap import Auth' | |||
|
|
41 | 41 | from rhodecode.model import meta |
|
|
42 | 42 | from rhodecode.model.user import UserModel |
|
|
43 | 43 | from rhodecode.model.db import User, RepoToPerm, Repository, Permission, \ |
|
|
44 | UserToPerm | |
|
|
44 | UserToPerm, UsersGroupToPerm, UsersGroupMember | |
|
|
45 | 45 | |
|
|
46 | 46 | |
|
|
47 | 47 | log = logging.getLogger(__name__) |
|
|
48 | 48 | |
|
|
49 | ||
|
|
50 | PERM_WEIGHTS = {'repository.none':0, | |
|
|
51 | 'repository.read':1, | |
|
|
52 | 'repository.write':3, | |
|
|
53 | 'repository.admin':3} | |
|
|
54 | ||
|
|
55 | ||
|
|
49 | 56 | class PasswordGenerator(object): |
|
|
50 | 57 | """This is a simple class for generating password from |
|
|
51 | 58 | different sets of characters |
| @@ -73,7 +80,8 b' class PasswordGenerator(object):' | |||
|
|
73 | 80 | |
|
|
74 | 81 | |
|
|
75 | 82 | def get_crypt_password(password): |
|
|
76 |
"""Cryptographic function used for password hashing based on |
|
|
|
83 | """Cryptographic function used for password hashing based on pybcrypt | |
|
|
84 | ||
|
|
77 | 85 | :param password: password to hash |
|
|
78 | 86 | """ |
|
|
79 | 87 | return bcrypt.hashpw(password, bcrypt.gensalt(10)) |
| @@ -82,8 +90,7 b' def check_password(password, hashed):' | |||
|
|
82 | 90 | return bcrypt.hashpw(password, hashed) == hashed |
|
|
83 | 91 | |
|
|
84 | 92 | def authfunc(environ, username, password): |
|
|
85 | """ | |
|
|
86 | Dummy authentication function used in Mercurial/Git/ and access control, | |
|
|
93 | """Dummy authentication function used in Mercurial/Git/ and access control, | |
|
|
87 | 94 | |
|
|
88 | 95 | :param environ: needed only for using in Basic auth |
|
|
89 | 96 | """ |
| @@ -91,8 +98,7 b' def authfunc(environ, username, password' | |||
|
|
91 | 98 | |
|
|
92 | 99 | |
|
|
93 | 100 | def authenticate(username, password): |
|
|
94 | """ | |
|
|
95 | Authentication function used for access control, | |
|
|
101 | """Authentication function used for access control, | |
|
|
96 | 102 | firstly checks for db authentication then if ldap is enabled for ldap |
|
|
97 | 103 | authentication, also creates ldap user if not in database |
|
|
98 | 104 | |
| @@ -130,7 +136,7 b' def authenticate(username, password):' | |||
|
|
130 | 136 | ldap_settings = SettingsModel().get_ldap_settings() |
|
|
131 | 137 | |
|
|
132 | 138 | #====================================================================== |
|
|
133 |
# FALLBACK TO LDAP AUTH I |
|
|
|
139 | # FALLBACK TO LDAP AUTH IF ENABLE | |
|
|
134 | 140 | #====================================================================== |
|
|
135 | 141 | if ldap_settings.get('ldap_active', False): |
|
|
136 | 142 | log.debug("Authenticating user using ldap") |
| @@ -160,7 +166,7 b' def authenticate(username, password):' | |||
|
|
160 | 166 | } |
|
|
161 | 167 | |
|
|
162 | 168 | if user_model.create_ldap(username, password, user_dn, user_attrs): |
|
|
163 | log.info('created new ldap user') | |
|
|
169 | log.info('created new ldap user %s', username) | |
|
|
164 | 170 | |
|
|
165 | 171 | return True |
|
|
166 | 172 | except (LdapUsernameError, LdapPasswordError,): |
| @@ -171,9 +177,9 b' def authenticate(username, password):' | |||
|
|
171 | 177 | return False |
|
|
172 | 178 | |
|
|
173 | 179 | class AuthUser(object): |
|
|
180 | """A simple object that handles a mercurial username for authentication | |
|
|
174 | 181 |
|
|
|
175 | A simple object that handles a mercurial username for authentication | |
|
|
176 | """ | |
|
|
182 | ||
|
|
177 | 183 | def __init__(self): |
|
|
178 | 184 | self.username = 'None' |
|
|
179 | 185 | self.name = '' |
| @@ -189,7 +195,7 b' class AuthUser(object):' | |||
|
|
189 | 195 | |
|
|
190 | 196 | def set_available_permissions(config): |
|
|
191 | 197 | """This function will propagate pylons globals with all available defined |
|
|
192 |
permission given in db. We don't wan |
|
|
|
198 | permission given in db. We don't want to check each time from db for new | |
|
|
193 | 199 | permissions since adding a new permission also requires application restart |
|
|
194 | 200 | ie. to decorate new views with the newly created permission |
|
|
195 | 201 | |
| @@ -213,9 +219,10 b' def set_base_path(config):' | |||
|
|
213 | 219 | |
|
|
214 | 220 | def fill_perms(user): |
|
|
215 | 221 | """Fills user permission attribute with permissions taken from database |
|
|
222 | works for permissions given for repositories, and for permissions that | |
|
|
223 | as part of beeing group member | |
|
|
216 | 224 | |
|
|
217 | :param user: | |
|
|
218 | ||
|
|
225 | :param user: user instance to fill his perms | |
|
|
219 | 226 | """ |
|
|
220 | 227 | |
|
|
221 | 228 | sa = meta.Session() |
| @@ -255,7 +262,7 b' def fill_perms(user):' | |||
|
|
255 | 262 | for perm in default_global_perms: |
|
|
256 | 263 | user.permissions['global'].add(perm.permission.permission_name) |
|
|
257 | 264 | |
|
|
258 | #default repositories | |
|
|
265 | #default for repositories | |
|
|
259 | 266 | for perm in default_perms: |
|
|
260 | 267 | if perm.Repository.private and not perm.Repository.user_id == user.user_id: |
|
|
261 | 268 | #disable defaults for private repos, |
| @@ -269,7 +276,7 b' def fill_perms(user):' | |||
|
|
269 | 276 | user.permissions['repositories'][perm.RepoToPerm.repository.repo_name] = p |
|
|
270 | 277 | |
|
|
271 | 278 | #======================================================================= |
|
|
272 |
# |
|
|
|
279 | # overwrite default with user permissions if any | |
|
|
273 | 280 | #======================================================================= |
|
|
274 | 281 | user_perms = sa.query(RepoToPerm, Permission, Repository)\ |
|
|
275 | 282 | .join((Repository, RepoToPerm.repository_id == Repository.repo_id))\ |
| @@ -282,12 +289,31 b' def fill_perms(user):' | |||
|
|
282 | 289 | else: |
|
|
283 | 290 | p = perm.Permission.permission_name |
|
|
284 | 291 | user.permissions['repositories'][perm.RepoToPerm.repository.repo_name] = p |
|
|
292 | ||
|
|
293 | ||
|
|
294 | #======================================================================= | |
|
|
295 | # check if user is part of groups for this repository and fill in | |
|
|
296 | # (or replace with higher) permissions | |
|
|
297 | #======================================================================= | |
|
|
298 | user_perms_from_users_groups = sa.query(UsersGroupToPerm, Permission, Repository,)\ | |
|
|
299 | .join((Repository, UsersGroupToPerm.repository_id == Repository.repo_id))\ | |
|
|
300 | .join((Permission, UsersGroupToPerm.permission_id == Permission.permission_id))\ | |
|
|
301 | .join((UsersGroupMember, UsersGroupToPerm.users_group_id == UsersGroupMember.users_group_id))\ | |
|
|
302 | .filter(UsersGroupMember.user_id == user.user_id).all() | |
|
|
303 | ||
|
|
304 | for perm in user_perms_from_users_groups: | |
|
|
305 | p = perm.Permission.permission_name | |
|
|
306 | cur_perm = user.permissions['repositories'][perm.UsersGroupToPerm.repository.repo_name] | |
|
|
307 | #overwrite permission only if it's greater than permission given from other sources | |
|
|
308 | if PERM_WEIGHTS[p] > PERM_WEIGHTS[cur_perm]: | |
|
|
309 | user.permissions['repositories'][perm.UsersGroupToPerm.repository.repo_name] = p | |
|
|
310 | ||
|
|
285 | 311 | meta.Session.remove() |
|
|
286 | 312 | return user |
|
|
287 | 313 | |
|
|
288 | 314 | def get_user(session): |
|
|
289 | """ | |
|
|
290 | Gets user from session, and wraps permissions into user | |
|
|
315 | """Gets user from session, and wraps permissions into user | |
|
|
316 | ||
|
|
291 | 317 | :param session: |
|
|
292 | 318 | """ |
|
|
293 | 319 | user = session.get('rhodecode_user', AuthUser()) |
General Comments 0
You need to be logged in to leave comments.
Login now