upstream/kallithea Commit - r377:bd8b25ad

1

#!/usr/bin/env python

1

#!/usr/bin/env python

2

# encoding: utf-8

2

# encoding: utf-8

3

# authentication and permission libraries

3

# authentication and permission libraries

4

5

#

6

# This program is free software; you can redistribute it and/or

6

# This program is free software; you can redistribute it and/or

7

# modify it under the terms of the GNU General Public License

7

# modify it under the terms of the GNU General Public License

8

# as published by the Free Software Foundation; version 2

8

# as published by the Free Software Foundation; version 2

9

# of the License or (at your opinion) any later version of the license.

9

# of the License or (at your opinion) any later version of the license.

10

#

10

#

11

# This program is distributed in the hope that it will be useful,

11

# This program is distributed in the hope that it will be useful,

12

# but WITHOUT ANY WARRANTY; without even the implied warranty of

12

# but WITHOUT ANY WARRANTY; without even the implied warranty of

13

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

13

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

14

# GNU General Public License for more details.

14

# GNU General Public License for more details.

15

#

15

#

16

# You should have received a copy of the GNU General Public License

16

# You should have received a copy of the GNU General Public License

17

# along with this program; if not, write to the Free Software

17

# along with this program; if not, write to the Free Software

18

# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,

18

# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,

19

# MA 02110-1301, USA.

19

# MA 02110-1301, USA.

20

"""

21

Created on April 4, 2010

22

23

@author: marcink

24

"""

25

from beaker.cache import cache_region

20

from beaker.cache import cache_region

26

from functools import wraps

27

from pylons import config, session, url, request

21

from pylons import config, session, url, request

28

from pylons.controllers.util import abort, redirect

22

from pylons.controllers.util import abort, redirect

29

from pylons_app.lib.utils import get_repo_slug

23

from pylons_app.lib.utils import get_repo_slug

30

from pylons_app.model import meta

24

from pylons_app.model import meta

31

from pylons_app.model.db import User, Repo2Perm, Repository, Permission

25

from pylons_app.model.db import User, Repo2Perm, Repository, Permission

32

from sqlalchemy.exc import OperationalError

26

from sqlalchemy.exc import OperationalError

33

from sqlalchemy.orm.exc import NoResultFound, MultipleResultsFound

27

from sqlalchemy.orm.exc import NoResultFound, MultipleResultsFound

34

import crypt

28

import crypt

29

from decorator import decorator

35

import logging

30

import logging

31

"""

32

Created on April 4, 2010

33

34

@author: marcink

35

"""

36

37

log = logging.getLogger(__name__)

37

log = logging.getLogger(__name__)

38

39

def get_crypt_password(password):

39

def get_crypt_password(password):

40

"""

40

"""

41

Cryptographic function used for password hashing

41

Cryptographic function used for password hashing

42

@param password: password to hash

42

@param password: password to hash

43

"""

43

"""

44

return crypt.crypt(password, '6a')

44

return crypt.crypt(password, '6a')

45

46

47

@cache_region('super_short_term', 'cached_user')

47

@cache_region('super_short_term', 'cached_user')

48

def get_user_cached(username):

48

def get_user_cached(username):

49

sa = meta.Session

49

sa = meta.Session

50

try:

50

try:

51

user = sa.query(User).filter(User.username == username).one()

51

user = sa.query(User).filter(User.username == username).one()

52

finally:

52

finally:

53

meta.Session.remove()

53

meta.Session.remove()

54

return user

54

return user

55

56

def authfunc(environ, username, password):

56

def authfunc(environ, username, password):

57

password_crypt = get_crypt_password(password)

57

password_crypt = get_crypt_password(password)

58

try:

58

try:

59

user = get_user_cached(username)

59

user = get_user_cached(username)

60

except (NoResultFound, MultipleResultsFound, OperationalError) as e:

60

except (NoResultFound, MultipleResultsFound, OperationalError) as e:

61

log.error(e)

61

log.error(e)

62

user = None

62

user = None

63

64

if user:

64

if user:

65

if user.active:

65

if user.active:

66

if user.username == username and user.password == password_crypt:

66

if user.username == username and user.password == password_crypt:

67

log.info('user %s authenticated correctly', username)

67

log.info('user %s authenticated correctly', username)

68

return True

68

return True

69

else:

69

else:

70

log.error('user %s is disabled', username)

70

log.error('user %s is disabled', username)

71

72

return False

72

return False

73

74

class AuthUser(object):

74

class AuthUser(object):

75

"""

75

"""

76

A simple object that handles a mercurial username for authentication

76

A simple object that handles a mercurial username for authentication

77

"""

77

"""

78

def __init__(self):

78

def __init__(self):

79

self.username = 'None'

79

self.username = 'None'

80

self.name = ''

80

self.name = ''

81

self.lastname = ''

81

self.lastname = ''

82

self.user_id = None

82

self.user_id = None

83

self.is_authenticated = False

83

self.is_authenticated = False

84

self.is_admin = False

84

self.is_admin = False

85

self.permissions = {}

85

self.permissions = {}

86

87

88

def set_available_permissions(config):

88

def set_available_permissions(config):

89

"""

89

"""

90

This function will propagate pylons globals with all available defined

90

This function will propagate pylons globals with all available defined

91

permission given in db. We don't wannt to check each time from db for new

91

permission given in db. We don't wannt to check each time from db for new

92

permissions since adding a new permission also requires application restart

92

permissions since adding a new permission also requires application restart

93

ie. to decorate new views with the newly created permission

93

ie. to decorate new views with the newly created permission

94

@param config:

94

@param config:

95

"""

95

"""

96

log.info('getting information about all available permissions')

96

log.info('getting information about all available permissions')

97

try:

97

try:

98

sa = meta.Session

98

sa = meta.Session

99

all_perms = sa.query(Permission).all()

99

all_perms = sa.query(Permission).all()

100

finally:

100

finally:

101

meta.Session.remove()

101

meta.Session.remove()

102

103

config['available_permissions'] = [x.permission_name for x in all_perms]

103

config['available_permissions'] = [x.permission_name for x in all_perms]

104

105

def set_base_path(config):

105

def set_base_path(config):

106

config['base_path'] = config['pylons.app_globals'].base_path

106

config['base_path'] = config['pylons.app_globals'].base_path

107

108

def fill_data(user):

108

def fill_data(user):

109

"""

109

"""

110

Fills user data with those from database

110

Fills user data with those from database

111

@param user:

111

@param user:

112

"""

112

"""

113

sa = meta.Session

113

sa = meta.Session

114

dbuser = sa.query(User).get(user.user_id)

114

dbuser = sa.query(User).get(user.user_id)

115

116

user.username = dbuser.username

116

user.username = dbuser.username

117

user.is_admin = dbuser.admin

117

user.is_admin = dbuser.admin

118

user.name = dbuser.name

118

user.name = dbuser.name

119

user.lastname = dbuser.lastname

119

user.lastname = dbuser.lastname

120

121

meta.Session.remove()

121

meta.Session.remove()

122

return user

122

return user

123

124

def fill_perms(user):

124

def fill_perms(user):

125

"""

125

"""

126

Fills user permission attribute with permissions taken from database

126

Fills user permission attribute with permissions taken from database

127

@param user:

127

@param user:

128

"""

128

"""

129

130

sa = meta.Session

130

sa = meta.Session

131

user.permissions['repositories'] = {}

131

user.permissions['repositories'] = {}

132

user.permissions['global'] = set()

132

user.permissions['global'] = set()

133

134

#first fetch default permissions

134

#first fetch default permissions

135

default_perms = sa.query(Repo2Perm, Repository, Permission)\

135

default_perms = sa.query(Repo2Perm, Repository, Permission)\

136

.join((Repository, Repo2Perm.repository_id == Repository.repo_id))\

136

.join((Repository, Repo2Perm.repository_id == Repository.repo_id))\

137

.join((Permission, Repo2Perm.permission_id == Permission.permission_id))\

137

.join((Permission, Repo2Perm.permission_id == Permission.permission_id))\

138

.filter(Repo2Perm.user_id == sa.query(User).filter(User.username ==

138

.filter(Repo2Perm.user_id == sa.query(User).filter(User.username ==

139

'default').one().user_id).all()

139

'default').one().user_id).all()

140

141

if user.is_admin:

141

if user.is_admin:

142

user.permissions['global'].add('hg.admin')

142

user.permissions['global'].add('hg.admin')

143

#admin have all rights full

143

#admin have all rights full

144

for perm in default_perms:

144

for perm in default_perms:

145

p = 'repository.admin'

145

p = 'repository.admin'

146

user.permissions['repositories'][perm.Repo2Perm.repository.repo_name] = p

146

user.permissions['repositories'][perm.Repo2Perm.repository.repo_name] = p

147

148

else:

148

else:

149

user.permissions['global'].add('')

149

user.permissions['global'].add('repository.create')

150

for perm in default_perms:

150

for perm in default_perms:

151

if perm.Repository.private:

151

if perm.Repository.private:

152

#disable defaults for private repos,

152

#disable defaults for private repos,

153

p = 'repository.none'

153

p = 'repository.none'

154

elif perm.Repository.user_id == user.user_id:

154

elif perm.Repository.user_id == user.user_id:

155

#set admin if owner

155

#set admin if owner

156

p = 'repository.admin'

156

p = 'repository.admin'

157

else:

157

else:

158

p = perm.Permission.permission_name

158

p = perm.Permission.permission_name

159

160

user.permissions['repositories'][perm.Repo2Perm.repository.repo_name] = p

160

user.permissions['repositories'][perm.Repo2Perm.repository.repo_name] = p

161

162

163

user_perms = sa.query(Repo2Perm, Permission, Repository)\

163

user_perms = sa.query(Repo2Perm, Permission, Repository)\

164

.join((Repository, Repo2Perm.repository_id == Repository.repo_id))\

164

.join((Repository, Repo2Perm.repository_id == Repository.repo_id))\

165

.join((Permission, Repo2Perm.permission_id == Permission.permission_id))\

165

.join((Permission, Repo2Perm.permission_id == Permission.permission_id))\

166

.filter(Repo2Perm.user_id == user.user_id).all()

166

.filter(Repo2Perm.user_id == user.user_id).all()

167

#overwrite userpermissions with defaults

167

#overwrite userpermissions with defaults

168

for perm in user_perms:

168

for perm in user_perms:

169

#set write if owner

169

#set write if owner

170

if perm.Repository.user_id == user.user_id:

170

if perm.Repository.user_id == user.user_id:

171

p = 'repository.write'

171

p = 'repository.write'

172

else:

172

else:

173

p = perm.Permission.permission_name

173

p = perm.Permission.permission_name

174

user.permissions['repositories'][perm.Repo2Perm.repository.repo_name] = p

174

user.permissions['repositories'][perm.Repo2Perm.repository.repo_name] = p

175

meta.Session.remove()

175

meta.Session.remove()

176

return user

176

return user

177

178

def get_user(session):

178

def get_user(session):

179

"""

179

"""

180

Gets user from session, and wraps permissions into user

180

Gets user from session, and wraps permissions into user

181

@param session:

181

@param session:

182

"""

182

"""

183

user = session.get('hg_app_user', AuthUser())

183

user = session.get('hg_app_user', AuthUser())

184

if user.is_authenticated:

184

if user.is_authenticated:

185

user = fill_data(user)

185

user = fill_data(user)

186

user = fill_perms(user)

186

user = fill_perms(user)

187

session['hg_app_user'] = user

187

session['hg_app_user'] = user

188

session.save()

188

session.save()

189

return user

189

return user

190

191

#===============================================================================

191

#===============================================================================

192

# CHECK DECORATORS

192

# CHECK DECORATORS

193

#===============================================================================

193

#===============================================================================

194

class LoginRequired(object):

194

class LoginRequired(object):

195

"""

195

"""Must be logged in to execute this function else redirect to login page"""

196

Must be logged in to execute this function else redirect to login page

197

"""

198

196

199

def __call__(self, func):

197

def __call__(self, func):

200

@wraps(func)

198

return decorator(self.__wrapper, func)

201

def _wrapper(*fargs, **fkwargs):

199

202

user = session.get('hg_app_user', AuthUser())

200

def __wrapper(self, func, *fargs, **fkwargs):

203

log.debug('Checking login required for user:%s', user.username)

201

user = session.get('hg_app_user', AuthUser())

204

if user.is_authenticated:

202

log.debug('Checking login required for user:%s', user.username)

205

log.debug('user %s is authenticated', user.username)

203

if user.is_authenticated:

206

func(*fargs)

204

log.debug('user %s is authenticated', user.username)

207

else:

205

return func(*fargs, **fkwargs)

208

log.warn('user %s not authenticated', user.username)

206

else:

209

log.debug('redirecting to login page')

207

log.warn('user %s not authenticated', user.username)

210

~~return~~ ~~redirect~~(~~url~~('~~login_hom~~e'))

208

log.debug('redirecting to login page')

211

209

return redirect(url('login_home'))

212

return _wrapper

213

210

214

class PermsDecorator(object):

211

class PermsDecorator(object):

215

"""

212

"""Base class for decorators"""

216

Base class for decorators

217

"""

218

213

219

def __init__(self, *required_perms):

214

def __init__(self, *required_perms):

220

available_perms = config['available_permissions']

215

available_perms = config['available_permissions']

221

for perm in required_perms:

216

for perm in required_perms:

222

if perm not in available_perms:

217

if perm not in available_perms:

223

raise Exception("'%s' permission is not defined" % perm)

218

raise Exception("'%s' permission is not defined" % perm)

224

self.required_perms = set(required_perms)

219

self.required_perms = set(required_perms)

225

self.user_perms = None

220

self.user_perms = None

226

221

227

def __call__(self, func):

222

def __call__(self, func):

228

@wraps(func)

223

return decorator(self.__wrapper, func)

229

def _wrapper(*fargs, **fkwargs):

224

230

self.user_perms = session.get('hg_app_user', AuthUser()).permissions

225

231

log.debug('checking %s permissions %s for %s',

226

def __wrapper(self, func, *fargs, **fkwargs):

232

self.__class__.__name__, self.required_perms, func.__name__)

227

# _wrapper.__name__ = func.__name__

228

# _wrapper.__dict__.update(func.__dict__)

229

# _wrapper.__doc__ = func.__doc__

230

231

self.user_perms = session.get('hg_app_user', AuthUser()).permissions

232

log.debug('checking %s permissions %s for %s',

233

self.__class__.__name__, self.required_perms, func.__name__)

234

235

if self.check_permissions():

236

log.debug('Permission granted for %s', func.__name__)

233

237

234

if self.check_permissions():

238

return func(*fargs, **fkwargs)

235

log.debug('Permission granted for %s', func.__name__)

239

236

return func(*fargs)

240

else:

237

241

log.warning('Permission denied for %s', func.__name__)

238

else:

242

#redirect with forbidden ret code

239

log.warning('Permission denied for %s', func.__name__)

243

return abort(403)

240

#redirect with forbidden ret code

244

241

return abort(403)

242

return _wrapper

243

245

244

246

245

def check_permissions(self):

247

def check_permissions(self):

246

"""

248

"""Dummy function for overriding"""

247

Dummy function for overriding

248

"""

249

raise Exception('You have to write this function in child class')

249

raise Exception('You have to write this function in child class')

250

251

class HasPermissionAllDecorator(PermsDecorator):

251

class HasPermissionAllDecorator(PermsDecorator):

252

"""

252

"""Checks for access permission for all given predicates. All of them

253

Checks for access permission for all given predicates. All of them have to

253

have to be meet in order to fulfill the request

254

be meet in order to fulfill the request

255

"""

254

"""

256

255

257

def check_permissions(self):

256

def check_permissions(self):

258

if self.required_perms.issubset(self.user_perms.get('global')):

257

if self.required_perms.issubset(self.user_perms.get('global')):

259

return True

258

return True

260

return False

259

return False

261

260

262

261

263

class HasPermissionAnyDecorator(PermsDecorator):

262

class HasPermissionAnyDecorator(PermsDecorator):

264

"""

263

"""Checks for access permission for any of given predicates. In order to

265

Checks for access permission for any of given predicates. In order to

266

fulfill the request any of predicates must be meet

264

fulfill the request any of predicates must be meet

267

"""

265

"""

268

266

269

def check_permissions(self):

267

def check_permissions(self):

270

if self.required_perms.intersection(self.user_perms.get('global')):

268

if self.required_perms.intersection(self.user_perms.get('global')):

271

return True

269

return True

272

return False

270

return False

273

271

274

class HasRepoPermissionAllDecorator(PermsDecorator):

272

class HasRepoPermissionAllDecorator(PermsDecorator):

275

"""

273

"""Checks for access permission for all given predicates for specific

276

Checks for access permission for all given predicates for specific

277

repository. All of them have to be meet in order to fulfill the request

274

repository. All of them have to be meet in order to fulfill the request

278

"""

275

"""

279

276

280

def check_permissions(self):

277

def check_permissions(self):

281

repo_name = get_repo_slug(request)

278

repo_name = get_repo_slug(request)

282

try:

279

try:

283

user_perms = set([self.user_perms['repositories'][repo_name]])

280

user_perms = set([self.user_perms['repositories'][repo_name]])

284

except KeyError:

281

except KeyError:

285

return False

282

return False

286

if self.required_perms.issubset(user_perms):

283

if self.required_perms.issubset(user_perms):

287

return True

284

return True

288

return False

285

return False

289

286

290

287

291

class HasRepoPermissionAnyDecorator(PermsDecorator):

288

class HasRepoPermissionAnyDecorator(PermsDecorator):

292

"""

289

"""Checks for access permission for any of given predicates for specific

293

Checks for access permission for any of given predicates for specific

294

repository. In order to fulfill the request any of predicates must be meet

290

repository. In order to fulfill the request any of predicates must be meet

295

"""

291

"""

296

292

297

def check_permissions(self):

293

def check_permissions(self):

298

repo_name = get_repo_slug(request)

294

repo_name = get_repo_slug(request)

299

295

300

try:

296

try:

301

user_perms = set([self.user_perms['repositories'][repo_name]])

297

user_perms = set([self.user_perms['repositories'][repo_name]])

302

except KeyError:

298

except KeyError:

303

return False

299

return False

304

if self.required_perms.intersection(user_perms):

300

if self.required_perms.intersection(user_perms):

305

return True

301

return True

306

return False

302

return False

307

#===============================================================================

303

#===============================================================================

308

# CHECK FUNCTIONS

304

# CHECK FUNCTIONS

309

#===============================================================================

305

#===============================================================================

310

306

311

class PermsFunction(object):

307

class PermsFunction(object):

312

"""

308

"""Base function for other check functions"""

313

Base function for other check functions

314

"""

315

309

316

def __init__(self, *perms):

310

def __init__(self, *perms):

317

available_perms = config['available_permissions']

311

available_perms = config['available_permissions']

318

312

319

for perm in perms:

313

for perm in perms:

320

if perm not in available_perms:

314

if perm not in available_perms:

321

raise Exception("'%s' permission in not defined" % perm)

315

raise Exception("'%s' permission in not defined" % perm)

322

self.required_perms = set(perms)

316

self.required_perms = set(perms)

323

self.user_perms = None

317

self.user_perms = None

324

self.granted_for = ''

318

self.granted_for = ''

325

self.repo_name = None

319

self.repo_name = None

326

320

327

def __call__(self, check_Location=''):

321

def __call__(self, check_Location=''):

328

user = session.get('hg_app_user', False)

322

user = session.get('hg_app_user', False)

329

if not user:

323

if not user:

330

return False

324

return False

331

self.user_perms = user.permissions

325

self.user_perms = user.permissions

332

self.granted_for = user.username

326

self.granted_for = user.username

333

log.debug('checking %s %s', self.__class__.__name__, self.required_perms)

327

log.debug('checking %s %s', self.__class__.__name__, self.required_perms)

334

328

335

if self.check_permissions():

329

if self.check_permissions():

336

log.debug('Permission granted for %s @%s', self.granted_for,

330

log.debug('Permission granted for %s @%s', self.granted_for,

337

check_Location)

331

check_Location)

338

return True

332

return True

339

333

340

else:

334

else:

341

log.warning('Permission denied for %s @%s', self.granted_for,

335

log.warning('Permission denied for %s @%s', self.granted_for,

342

check_Location)

336

check_Location)

343

return False

337

return False

344

338

345

def check_permissions(self):

339

def check_permissions(self):

346

"""

340

"""Dummy function for overriding"""

347

Dummy function for overriding

348

"""

349

raise Exception('You have to write this function in child class')

341

raise Exception('You have to write this function in child class')

350

342

351

class HasPermissionAll(PermsFunction):

343

class HasPermissionAll(PermsFunction):

352

def check_permissions(self):

344

def check_permissions(self):

353

if self.required_perms.issubset(self.user_perms.get('global')):

345

if self.required_perms.issubset(self.user_perms.get('global')):

354

return True

346

return True

355

return False

347

return False

356

348

357

class HasPermissionAny(PermsFunction):

349

class HasPermissionAny(PermsFunction):

358

def check_permissions(self):

350

def check_permissions(self):

359

if self.required_perms.intersection(self.user_perms.get('global')):

351

if self.required_perms.intersection(self.user_perms.get('global')):

360

return True

352

return True

361

return False

353

return False

362

354

363

class HasRepoPermissionAll(PermsFunction):

355

class HasRepoPermissionAll(PermsFunction):

364

356

365

def __call__(self, repo_name=None, check_Location=''):

357

def __call__(self, repo_name=None, check_Location=''):

366

self.repo_name = repo_name

358

self.repo_name = repo_name

367

return super(HasRepoPermissionAll, self).__call__(check_Location)

359

return super(HasRepoPermissionAll, self).__call__(check_Location)

368

360

369

def check_permissions(self):

361

def check_permissions(self):

370

if not self.repo_name:

362

if not self.repo_name:

371

self.repo_name = get_repo_slug(request)

363

self.repo_name = get_repo_slug(request)

372

364

373

try:

365

try:

374

self.user_perms = set([self.user_perms['repositories']\

366

self.user_perms = set([self.user_perms['repositories']\

375

[self.repo_name]])

367

[self.repo_name]])

376

except KeyError:

368

except KeyError:

377

return False

369

return False

378

self.granted_for = self.repo_name

370

self.granted_for = self.repo_name

379

if self.required_perms.issubset(self.user_perms):

371

if self.required_perms.issubset(self.user_perms):

380

return True

372

return True

381

return False

373

return False

382

374

383

class HasRepoPermissionAny(PermsFunction):

375

class HasRepoPermissionAny(PermsFunction):

384

376

385

386

def __call__(self, repo_name=None, check_Location=''):

377

def __call__(self, repo_name=None, check_Location=''):

387

self.repo_name = repo_name

378

self.repo_name = repo_name

388

return super(HasRepoPermissionAny, self).__call__(check_Location)

379

return super(HasRepoPermissionAny, self).__call__(check_Location)

389

380

390

def check_permissions(self):

381

def check_permissions(self):

391

if not self.repo_name:

382

if not self.repo_name:

392

self.repo_name = get_repo_slug(request)

383

self.repo_name = get_repo_slug(request)

393

384

394

try:

385

try:

395

self.user_perms = set([self.user_perms['repositories']\

386

self.user_perms = set([self.user_perms['repositories']\

396

[self.repo_name]])

387

[self.repo_name]])

397

except KeyError:

388

except KeyError:

398

return False

389

return False

399

self.granted_for = self.repo_name

390

self.granted_for = self.repo_name

400

if self.required_perms.intersection(self.user_perms):

391

if self.required_perms.intersection(self.user_perms):

401

return True

392

return True

402

return False

393

return False

403

394

404

#===============================================================================

395

#===============================================================================

405

# SPECIAL VERSION TO HANDLE MIDDLEWARE AUTH

396

# SPECIAL VERSION TO HANDLE MIDDLEWARE AUTH

406

#===============================================================================

397

#===============================================================================

407

398

408

class HasPermissionAnyMiddleware(object):

399

class HasPermissionAnyMiddleware(object):

409

def __init__(self, *perms):

400

def __init__(self, *perms):

410

self.required_perms = set(perms)

401

self.required_perms = set(perms)

411

402

412

def __call__(self, user, repo_name):

403

def __call__(self, user, repo_name):

413

usr = AuthUser()

404

usr = AuthUser()

414

usr.user_id = user.user_id

405

usr.user_id = user.user_id

415

usr.username = user.username

406

usr.username = user.username

416

usr.is_admin = user.admin

407

usr.is_admin = user.admin

417

408

418

try:

409

try:

419

self.user_perms = set([fill_perms(usr)\

410

self.user_perms = set([fill_perms(usr)\

420

.permissions['repositories'][repo_name]])

411

.permissions['repositories'][repo_name]])

421

except:

412

except:

422

self.user_perms = set()

413

self.user_perms = set()

423

self.granted_for = ''

414

self.granted_for = ''

424

self.username = user.username

415

self.username = user.username

425

self.repo_name = repo_name

416

self.repo_name = repo_name

426

return self.check_permissions()

417

return self.check_permissions()

427

418

428

def check_permissions(self):

419

def check_permissions(self):

429

log.debug('checking mercurial protocol '

420

log.debug('checking mercurial protocol '

430

'permissions for user:%s repository:%s',

421

'permissions for user:%s repository:%s',

431

self.username, self.repo_name)

422

self.username, self.repo_name)

432

if self.required_perms.intersection(self.user_perms):

423

if self.required_perms.intersection(self.user_perms):

433

log.debug('permission granted')

424

log.debug('permission granted')

434

return True

425

return True

435

log.debug('permission denied')

426

log.debug('permission denied')

436

return False

427

return False

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             #!/usr/bin/env python
             # encoding: utf-8
             # authentication and permission libraries
             # Copyright (C) 2009-2010 Marcin Kuzminski <marcin@python-works.com>
+            #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; version 2
             # of the License or (at your opinion) any later version of the license.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program; if not, write to the Free Software
             # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
             # MA  02110-1301, USA.
-            """
-            Created on April 4, 2010
-            @author: marcink
-            """
             from beaker.cache import cache_region
-            from functools import wraps
             from pylons import config, session, url, request
             from pylons.controllers.util import abort, redirect
             from pylons_app.lib.utils import get_repo_slug
             from pylons_app.model import meta
             from pylons_app.model.db import User, Repo2Perm, Repository, Permission
             from sqlalchemy.exc import OperationalError
             from sqlalchemy.orm.exc import NoResultFound, MultipleResultsFound
             import crypt
+            from decorator import decorator
             import logging
+            """
+            Created on April 4, 2010
+            @author: marcink
+            """
             log = logging.getLogger(__name__)
             def get_crypt_password(password):
                 """
                 Cryptographic function used for password hashing
                 @param password: password to hash
                 """
                 return crypt.crypt(password, '6a')
             @cache_region('super_short_term', 'cached_user')
             def get_user_cached(username):
                 sa = meta.Session
                 try:
                     user = sa.query(User).filter(User.username == username).one()
                 finally:
                     meta.Session.remove()
                 return user
             def authfunc(environ, username, password):
                 password_crypt = get_crypt_password(password)
                 try:
                     user = get_user_cached(username)
                 except (NoResultFound, MultipleResultsFound, OperationalError) as e:
                     log.error(e)
                     user = None
                 if user:
                     if user.active:
                         if user.username == username and user.password == password_crypt:
                             log.info('user %s authenticated correctly', username)
                             return True
                     else:
                         log.error('user %s is disabled', username)
                 return False
             class  AuthUser(object):
                 """
                 A simple object that handles a mercurial username for authentication
                 """
                 def __init__(self):
                     self.username = 'None'
                     self.name = ''
                     self.lastname = ''
                     self.user_id = None
                     self.is_authenticated = False
                     self.is_admin = False
                     self.permissions = {}
             def set_available_permissions(config):
                 """
                 This function will propagate pylons globals with all available defined
                 permission given in db. We don't wannt to check each time from db for new
                 permissions since adding a new permission also requires application restart
                 ie. to decorate new views with the newly created permission
                 @param config:
                 """
                 log.info('getting information about all available permissions')
                 try:
                     sa = meta.Session
                     all_perms = sa.query(Permission).all()
                 finally:
                     meta.Session.remove()
                 config['available_permissions'] = [x.permission_name for x in all_perms]
             def set_base_path(config):
                 config['base_path'] = config['pylons.app_globals'].base_path
             def fill_data(user):
                 """
                 Fills user data with those from database
                 @param user:
                 """
                 sa = meta.Session
                 dbuser = sa.query(User).get(user.user_id)
                 user.username = dbuser.username
                 user.is_admin = dbuser.admin
                 user.name = dbuser.name
                 user.lastname = dbuser.lastname
                 meta.Session.remove()
                 return user
             def fill_perms(user):
                 """
                 Fills user permission attribute with permissions taken from database
                 @param user:
                 """
                 sa = meta.Session
                 user.permissions['repositories'] = {}
                 user.permissions['global'] = set()
                 #first fetch default permissions
                 default_perms = sa.query(Repo2Perm, Repository, Permission)\
                     .join((Repository, Repo2Perm.repository_id == Repository.repo_id))\
                     .join((Permission, Repo2Perm.permission_id == Permission.permission_id))\
                     .filter(Repo2Perm.user_id == sa.query(User).filter(User.username ==
                                                         'default').one().user_id).all()
                 if user.is_admin:
                     user.permissions['global'].add('hg.admin')
                     #admin have all rights full
                     for perm in default_perms:
                         p = 'repository.admin'
                         user.permissions['repositories'][perm.Repo2Perm.repository.repo_name] = p
                 else:
-                    user.permissions['global'].add('')
+                    user.permissions['global'].add('repository.create')
                     for perm in default_perms:
                         if perm.Repository.private:
                             #disable defaults for private repos,
                             p = 'repository.none'
                         elif perm.Repository.user_id == user.user_id:
                             #set admin if owner
                             p = 'repository.admin'
                         else:
                             p = perm.Permission.permission_name
                         user.permissions['repositories'][perm.Repo2Perm.repository.repo_name] = p
                     user_perms = sa.query(Repo2Perm, Permission, Repository)\
                         .join((Repository, Repo2Perm.repository_id == Repository.repo_id))\
                         .join((Permission, Repo2Perm.permission_id == Permission.permission_id))\
                         .filter(Repo2Perm.user_id == user.user_id).all()
                     #overwrite userpermissions with defaults
                     for perm in user_perms:
                         #set write if owner
                         if perm.Repository.user_id == user.user_id:
                             p = 'repository.write'
                         else:
                             p = perm.Permission.permission_name
                         user.permissions['repositories'][perm.Repo2Perm.repository.repo_name] = p
                 meta.Session.remove()
                 return user
             def get_user(session):
                 """
                 Gets user from session, and wraps permissions into user
                 @param session:
                 """
                 user = session.get('hg_app_user', AuthUser())
                 if user.is_authenticated:
                     user = fill_data(user)
                     user = fill_perms(user)
                 session['hg_app_user'] = user
                 session.save()
                 return user
             #===============================================================================
             # CHECK DECORATORS
             #===============================================================================
             class LoginRequired(object):
-                """
+                """Must be logged in to execute this function else redirect to login page"""
-                Must be logged in to execute this function else redirect to login page
-                """
                 def __call__(self, func):
-                    @wraps(func)
+                    return decorator(self.__wrapper, func)
-                    def _wrapper(*fargs, **fkwargs):
-                        user = session.get('hg_app_user', AuthUser())
+                def __wrapper(self, func, *fargs, **fkwargs):
-                        log.debug('Checking login required for user:%s', user.username)
+                    user = session.get('hg_app_user', AuthUser())
-                        if user.is_authenticated:
+                    log.debug('Checking login required for user:%s', user.username)
-                            log.debug('user %s is authenticated', user.username)
+                    if user.is_authenticated:
-                            func(*fargs)
+                        log.debug('user %s is authenticated', user.username)
-                        else:
+                        return func(*fargs, **fkwargs)
-                            log.warn('user %s not authenticated', user.username)
+                    else:
-                            log.debug('redirecting to login page')
+                        log.warn('user %s not authenticated', user.username)
-                            return redirect(url('login_home'))
+                        log.debug('redirecting to login page')
+                        return redirect(url('login_home'))
-                    return _wrapper
             class PermsDecorator(object):
-                """
+                """Base class for decorators"""
-                Base class for decorators
-                """
                 def __init__(self, *required_perms):
                     available_perms = config['available_permissions']
                     for perm in required_perms:
                         if perm not in available_perms:
                             raise Exception("'%s' permission is not defined" % perm)
                     self.required_perms = set(required_perms)
                     self.user_perms = None
                 def __call__(self, func):
-                    @wraps(func)
+                    return decorator(self.__wrapper, func)
-                    def _wrapper(*fargs, **fkwargs):
-                        self.user_perms = session.get('hg_app_user', AuthUser()).permissions
-                        log.debug('checking %s permissions %s for %s',
+                def __wrapper(self, func, *fargs, **fkwargs):
-                           self.__class__.__name__, self.required_perms, func.__name__)
+            #        _wrapper.__name__ = func.__name__
+            #        _wrapper.__dict__.update(func.__dict__)
+            #        _wrapper.__doc__ = func.__doc__
+                    self.user_perms = session.get('hg_app_user', AuthUser()).permissions
+                    log.debug('checking %s permissions %s for %s',
+                       self.__class__.__name__, self.required_perms, func.__name__)
+                    if self.check_permissions():
+                        log.debug('Permission granted for %s', func.__name__)
-                        if self.check_permissions():
+                        return func(*fargs, **fkwargs)
-                            log.debug('Permission granted for %s', func.__name__)
-                            return func(*fargs)
+                    else:
+                        log.warning('Permission denied for %s', func.__name__)
-                        else:
+                        #redirect with forbidden ret code
-                            log.warning('Permission denied for %s', func.__name__)
+                        return abort(403)
-                            #redirect with forbidden ret code
-                            return abort(403)
-                    return _wrapper
                 def check_permissions(self):
-                    """
+                    """Dummy function for overriding"""
-                    Dummy function for overriding
-                    """
                     raise Exception('You have to write this function in child class')
             class HasPermissionAllDecorator(PermsDecorator):
-                """
+                """Checks for access permission for all given predicates. All of them
-                Checks for access permission for all given predicates. All of them have to
+                have to be meet in order to fulfill the request
-                be meet in order to fulfill the request
                 """
                 def check_permissions(self):
                     if self.required_perms.issubset(self.user_perms.get('global')):
                         return True
                     return False
             class HasPermissionAnyDecorator(PermsDecorator):
-                """
+                """Checks for access permission for any of given predicates. In order to
-                Checks for access permission for any of given predicates. In order to
                 fulfill the request any of predicates must be meet
                 """
                 def check_permissions(self):
                     if self.required_perms.intersection(self.user_perms.get('global')):
                         return True
                     return False
             class HasRepoPermissionAllDecorator(PermsDecorator):
-                """
+                """Checks for access permission for all given predicates for specific
-                Checks for access permission for all given predicates for specific
                 repository. All of them have to be meet in order to fulfill the request
                 """
                 def check_permissions(self):
                     repo_name = get_repo_slug(request)
                     try:
                         user_perms = set([self.user_perms['repositories'][repo_name]])
                     except KeyError:
                         return False
                     if self.required_perms.issubset(user_perms):
                         return True
                     return False
             class HasRepoPermissionAnyDecorator(PermsDecorator):
-                """
+                """Checks for access permission for any of given predicates for specific
-                Checks for access permission for any of given predicates for specific
                 repository. In order to fulfill the request any of predicates must be meet
                 """
                 def check_permissions(self):
                     repo_name = get_repo_slug(request)
                     try:
                         user_perms = set([self.user_perms['repositories'][repo_name]])
                     except KeyError:
                         return False
                     if self.required_perms.intersection(user_perms):
                         return True
                     return False
             #===============================================================================
             # CHECK FUNCTIONS
             #===============================================================================
             class PermsFunction(object):
-                """
+                """Base function for other check functions"""
-                Base function for other check functions
-                """
                 def __init__(self, *perms):
                     available_perms = config['available_permissions']
                     for perm in perms:
                         if perm not in available_perms:
                             raise Exception("'%s' permission in not defined" % perm)
                     self.required_perms = set(perms)
                     self.user_perms = None
                     self.granted_for = ''
                     self.repo_name = None
                 def __call__(self, check_Location=''):
                     user = session.get('hg_app_user', False)
                     if not user:
                         return False
                     self.user_perms = user.permissions
                     self.granted_for = user.username
                     log.debug('checking %s %s', self.__class__.__name__, self.required_perms)
                     if self.check_permissions():
                         log.debug('Permission granted for %s @%s', self.granted_for,
                                   check_Location)
                         return True
                     else:
                         log.warning('Permission denied for %s @%s', self.granted_for,
                                     check_Location)
                         return False
                 def check_permissions(self):
-                    """
+                    """Dummy function for overriding"""
-                    Dummy function for overriding
-                    """
                     raise Exception('You have to write this function in child class')
             class HasPermissionAll(PermsFunction):
                 def check_permissions(self):
                     if self.required_perms.issubset(self.user_perms.get('global')):
                         return True
                     return False
             class HasPermissionAny(PermsFunction):
                 def check_permissions(self):
                     if self.required_perms.intersection(self.user_perms.get('global')):
                         return True
                     return False
             class HasRepoPermissionAll(PermsFunction):
                 def __call__(self, repo_name=None, check_Location=''):
                     self.repo_name = repo_name
                     return super(HasRepoPermissionAll, self).__call__(check_Location)
                 def check_permissions(self):
                     if not self.repo_name:
                         self.repo_name = get_repo_slug(request)
                     try:
                         self.user_perms = set([self.user_perms['repositories']\
                                                [self.repo_name]])
                     except KeyError:
                         return False
                     self.granted_for = self.repo_name
                     if self.required_perms.issubset(self.user_perms):
                         return True
                     return False
             class HasRepoPermissionAny(PermsFunction):
                 def __call__(self, repo_name=None, check_Location=''):
                     self.repo_name = repo_name
                     return super(HasRepoPermissionAny, self).__call__(check_Location)
                 def check_permissions(self):
                     if not self.repo_name:
                         self.repo_name = get_repo_slug(request)
                     try:
                         self.user_perms = set([self.user_perms['repositories']\
                                                [self.repo_name]])
                     except KeyError:
                         return False
                     self.granted_for = self.repo_name
                     if self.required_perms.intersection(self.user_perms):
                         return True
                     return False
             #===============================================================================
             # SPECIAL VERSION TO HANDLE MIDDLEWARE AUTH
             #===============================================================================
             class HasPermissionAnyMiddleware(object):
                 def __init__(self, *perms):
                     self.required_perms = set(perms)
                 def __call__(self, user, repo_name):
                     usr = AuthUser()
                     usr.user_id = user.user_id
                     usr.username = user.username
                     usr.is_admin = user.admin
                     try:
                         self.user_perms = set([fill_perms(usr)\
                                                .permissions['repositories'][repo_name]])
                     except:
                         self.user_perms = set()
                     self.granted_for = ''
                     self.username = user.username
                     self.repo_name = repo_name
                     return self.check_permissions()
                 def check_permissions(self):
                     log.debug('checking mercurial protocol '
                               'permissions for user:%s repository:%s',
                                                             self.username, self.repo_name)
                     if self.required_perms.intersection(self.user_perms):
                         log.debug('permission granted')
                         return True
                     log.debug('permission denied')
                     return False