upstream/kallithea Commit - r3146:c5169e44

Full IP restrictions enabled...

marcink -

r3146:c5169e44 beta

parent child

rhodecode/controllers/api/__init__.py

0 +4 -6

             HTTPBadRequest, HTTPError
             from rhodecode.model.db import User
-            from rhodecode.lib.auth import AuthUser, check_ip_access
+            from rhodecode.lib.auth import AuthUser
             from rhodecode.lib.base import _get_ip_addr, _get_access_path
             from rhodecode.lib.utils2 import safe_unicode
                         if u is None:
                             return jsonrpc_error(retid=self._req_id,
                                                  message='Invalid API KEY')
                         #check if we are allowed to use this IP
-                        allowed_ips = AuthUser.get_allowed_ips(u.user_id)
+                        auth_u = AuthUser(u.user_id, self._req_api_key, ip_addr=ip_addr)
-                        if check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips) is False:
+                        if not auth_u.ip_allowed:
-                            log.info('Access for IP:%s forbidden, '
-                                     'not in %s' % (ip_addr, allowed_ips))
                             return jsonrpc_error(retid=self._req_id,
                                     message='request from IP:%s not allowed' % (ip_addr))
                         else:
                             log.info('Access for IP:%s allowed' % (ip_addr))
-                        auth_u = AuthUser(u.user_id, self._req_api_key, ip_addr=ip_addr)
                     except Exception, e:
                         return jsonrpc_error(retid=self._req_id,
                                              message='Invalid API KEY')

rhodecode/controllers/login.py

0 +3 -4

                 def index(self):
                     # redirect if already logged in
                     c.came_from = request.GET.get('came_from')
+                    not_default = self.rhodecode_user.username != 'default'
-                    if self.rhodecode_user.is_authenticated \
+                    ip_allowed = self.rhodecode_user.ip_allowed
-                                        and self.rhodecode_user.username != 'default':
+                    if self.rhodecode_user.is_authenticated and not_default and ip_allowed:
                         return redirect(url('home'))
                     if request.POST:

rhodecode/lib/auth.py

0 +35 -7

             from rhodecode.model import meta
             from rhodecode.model.user import UserModel
             from rhodecode.model.db import Permission, RhodeCodeSetting, User, UserIpMap
+            from rhodecode.lib.caching_query import FromCache
             log = logging.getLogger(__name__)
                     self.admin = False
                     self.inherit_default_permissions = False
                     self.permissions = {}
-                    self.allowed_ips = set()
                     self._api_key = api_key
                     self.propagate_data()
                     self._instance = None
                     log.debug('Auth User is now %s' % self)
                     user_model.fill_perms(self)
-                    log.debug('Filling Allowed IPs')
-                    self.allowed_ips = AuthUser.get_allowed_ips(self.user_id)
                 @property
                 def is_admin(self):
                     return self.admin
+                @property
+                def ip_allowed(self):
+                    """
+                    Checks if ip_addr used in constructor is allowed from defined list of
+                    allowed ip_addresses for user
+                    :returns: boolean, True if ip is in allowed ip range
+                    """
+                    #check IP
+                    allowed_ips = AuthUser.get_allowed_ips(self.user_id, cache=True)
+                    if check_ip_access(source_ip=self.ip_addr, allowed_ips=allowed_ips):
+                        log.debug('IP:%s is in range of %s' % (self.ip_addr, allowed_ips))
+                        return True
+                    else:
+                        log.info('Access for IP:%s forbidden, '
+                                 'not in %s' % (self.ip_addr, allowed_ips))
+                        return False
                 def __repr__(self):
                     return "<AuthUser('id:%s:%s|%s')>" % (self.user_id, self.username,
                                                           self.is_authenticated)
                     return AuthUser(user_id, api_key, username)
                 @classmethod
-                def get_allowed_ips(cls, user_id):
+                def get_allowed_ips(cls, user_id, cache=False):
                     _set = set()
-                    user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id).all()
+                    user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id)
+                    if cache:
+                        user_ips = user_ips.options(FromCache("sql_cache_short",
+                                                              "get_user_ips_%s" % user_id))
                     for ip in user_ips:
                         _set.add(ip.ip_addr)
                     return _set or set(['0.0.0.0/0'])
                 def __wrapper(self, func, *fargs, **fkwargs):
                     cls = fargs[0]
                     user = cls.rhodecode_user
+                    loc = "%s:%s" % (cls.__class__.__name__, func.__name__)
+                    #check IP
+                    ip_access_ok = True
+                    if not user.ip_allowed:
+                        from rhodecode.lib import helpers as h
+                        h.flash(h.literal(_('IP %s not allowed' % (user.ip_addr))),
+                                category='warning')
+                        ip_access_ok = False
                     api_access_ok = False
                     if self.api_access:
                             api_access_ok = True
                         else:
                             log.debug("API KEY token not valid")
-                    loc = "%s:%s" % (cls.__class__.__name__, func.__name__)
                     log.debug('Checking if %s is authenticated @ %s' % (user.username, loc))
-                    if user.is_authenticated or api_access_ok:
+                    if (user.is_authenticated or api_access_ok) and ip_access_ok:
                         reason = 'RegularAuth' if user.is_authenticated else 'APIAuth'
                         log.info('user %s is authenticated and granted access to %s '
                                  'using %s' % (user.username, loc, reason)

rhodecode/lib/base.py

0 +3 -5

             from rhodecode.lib.utils2 import str2bool, safe_unicode, AttributeDict,\
                 safe_str, safe_int
             from rhodecode.lib.auth import AuthUser, get_container_username, authfunc,\
-                HasPermissionAnyMiddleware, CookieStoreWrapper, check_ip_access
+                HasPermissionAnyMiddleware, CookieStoreWrapper
             from rhodecode.lib.utils import get_repo_slug, invalidate_cache
             from rhodecode.model import meta
                     :param repo_name: repository name
                     """
                     #check IP
-                    allowed_ips = AuthUser.get_allowed_ips(user.user_id)
+                    authuser = AuthUser(user_id=user.user_id, ip_addr=ip_addr)
-                    if check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips) is False:
+                    if not authuser.ip_allowed:
-                        log.info('Access for IP:%s forbidden, '
-                                 'not in %s' % (ip_addr, allowed_ips))
                         return False
                     else:
                         log.info('Access for IP:%s allowed' % (ip_addr))

rhodecode/model/db.py

0 +1 0

                 ip_id = Column("ip_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
                 ip_addr = Column("ip_addr", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=False, default=None)
+                active = Column("active", Boolean(), nullable=True, unique=None, default=True)
                 user = relationship('User', lazy='joined')
                 @classmethod

rhodecode/model/user.py

0 0 -1

             import traceback
             import itertools
             import collections
-            import functools
             from pylons import url
             from pylons.i18n.translation import _

rhodecode/public/css/style.css

0 0 -3

             }
             #login div.title {
-            	width: 420px;
             	clear: both;
             	overflow: hidden;
             	position: relative;
             }
             #login div.inner {
-            	width: 380px;
             	background: #FFF url("../images/login.png") no-repeat top left;
             	border-top: none;
             	border-bottom: none;
             }
             #login div.form div.fields div.field div.input input {
-            	width: 176px;
             	background: #FFF;
             	border-top: 1px solid #b3b3b3;
             	border-left: 1px solid #b3b3b3;

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages