##// END OF EJS Templates
Full IP restrictions enabled...
marcink -
r3146:c5169e44 beta
parent child Browse files
Show More
@@ -43,7 +43,7 b' from webob.exc import HTTPNotFound, HTTP'
43 43 HTTPBadRequest, HTTPError
44 44
45 45 from rhodecode.model.db import User
46 from rhodecode.lib.auth import AuthUser, check_ip_access
46 from rhodecode.lib.auth import AuthUser
47 47 from rhodecode.lib.base import _get_ip_addr, _get_access_path
48 48 from rhodecode.lib.utils2 import safe_unicode
49 49
@@ -148,17 +148,15 b' class JSONRPCController(WSGIController):'
148 148 if u is None:
149 149 return jsonrpc_error(retid=self._req_id,
150 150 message='Invalid API KEY')
151
151 152 #check if we are allowed to use this IP
152 allowed_ips = AuthUser.get_allowed_ips(u.user_id)
153 if check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips) is False:
154 log.info('Access for IP:%s forbidden, '
155 'not in %s' % (ip_addr, allowed_ips))
153 auth_u = AuthUser(u.user_id, self._req_api_key, ip_addr=ip_addr)
154 if not auth_u.ip_allowed:
156 155 return jsonrpc_error(retid=self._req_id,
157 156 message='request from IP:%s not allowed' % (ip_addr))
158 157 else:
159 158 log.info('Access for IP:%s allowed' % (ip_addr))
160 159
161 auth_u = AuthUser(u.user_id, self._req_api_key, ip_addr=ip_addr)
162 160 except Exception, e:
163 161 return jsonrpc_error(retid=self._req_id,
164 162 message='Invalid API KEY')
@@ -54,10 +54,9 b' class LoginController(BaseController):'
54 54 def index(self):
55 55 # redirect if already logged in
56 56 c.came_from = request.GET.get('came_from')
57
58 if self.rhodecode_user.is_authenticated \
59 and self.rhodecode_user.username != 'default':
60
57 not_default = self.rhodecode_user.username != 'default'
58 ip_allowed = self.rhodecode_user.ip_allowed
59 if self.rhodecode_user.is_authenticated and not_default and ip_allowed:
61 60 return redirect(url('home'))
62 61
63 62 if request.POST:
@@ -46,6 +46,7 b' from rhodecode.lib.auth_ldap import Auth'
46 46 from rhodecode.model import meta
47 47 from rhodecode.model.user import UserModel
48 48 from rhodecode.model.db import Permission, RhodeCodeSetting, User, UserIpMap
49 from rhodecode.lib.caching_query import FromCache
49 50
50 51 log = logging.getLogger(__name__)
51 52
@@ -327,7 +328,6 b' class AuthUser(object):'
327 328 self.admin = False
328 329 self.inherit_default_permissions = False
329 330 self.permissions = {}
330 self.allowed_ips = set()
331 331 self._api_key = api_key
332 332 self.propagate_data()
333 333 self._instance = None
@@ -377,13 +377,29 b' class AuthUser(object):'
377 377
378 378 log.debug('Auth User is now %s' % self)
379 379 user_model.fill_perms(self)
380 log.debug('Filling Allowed IPs')
381 self.allowed_ips = AuthUser.get_allowed_ips(self.user_id)
382 380
383 381 @property
384 382 def is_admin(self):
385 383 return self.admin
386 384
385 @property
386 def ip_allowed(self):
387 """
388 Checks if ip_addr used in constructor is allowed from defined list of
389 allowed ip_addresses for user
390
391 :returns: boolean, True if ip is in allowed ip range
392 """
393 #check IP
394 allowed_ips = AuthUser.get_allowed_ips(self.user_id, cache=True)
395 if check_ip_access(source_ip=self.ip_addr, allowed_ips=allowed_ips):
396 log.debug('IP:%s is in range of %s' % (self.ip_addr, allowed_ips))
397 return True
398 else:
399 log.info('Access for IP:%s forbidden, '
400 'not in %s' % (self.ip_addr, allowed_ips))
401 return False
402
387 403 def __repr__(self):
388 404 return "<AuthUser('id:%s:%s|%s')>" % (self.user_id, self.username,
389 405 self.is_authenticated)
@@ -411,9 +427,12 b' class AuthUser(object):'
411 427 return AuthUser(user_id, api_key, username)
412 428
413 429 @classmethod
414 def get_allowed_ips(cls, user_id):
430 def get_allowed_ips(cls, user_id, cache=False):
415 431 _set = set()
416 user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id).all()
432 user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id)
433 if cache:
434 user_ips = user_ips.options(FromCache("sql_cache_short",
435 "get_user_ips_%s" % user_id))
417 436 for ip in user_ips:
418 437 _set.add(ip.ip_addr)
419 438 return _set or set(['0.0.0.0/0'])
@@ -462,6 +481,15 b' class LoginRequired(object):'
462 481 def __wrapper(self, func, *fargs, **fkwargs):
463 482 cls = fargs[0]
464 483 user = cls.rhodecode_user
484 loc = "%s:%s" % (cls.__class__.__name__, func.__name__)
485
486 #check IP
487 ip_access_ok = True
488 if not user.ip_allowed:
489 from rhodecode.lib import helpers as h
490 h.flash(h.literal(_('IP %s not allowed' % (user.ip_addr))),
491 category='warning')
492 ip_access_ok = False
465 493
466 494 api_access_ok = False
467 495 if self.api_access:
@@ -470,9 +498,9 b' class LoginRequired(object):'
470 498 api_access_ok = True
471 499 else:
472 500 log.debug("API KEY token not valid")
473 loc = "%s:%s" % (cls.__class__.__name__, func.__name__)
501
474 502 log.debug('Checking if %s is authenticated @ %s' % (user.username, loc))
475 if user.is_authenticated or api_access_ok:
503 if (user.is_authenticated or api_access_ok) and ip_access_ok:
476 504 reason = 'RegularAuth' if user.is_authenticated else 'APIAuth'
477 505 log.info('user %s is authenticated and granted access to %s '
478 506 'using %s' % (user.username, loc, reason)
@@ -20,7 +20,7 b' from rhodecode import __version__, BACKE'
20 20 from rhodecode.lib.utils2 import str2bool, safe_unicode, AttributeDict,\
21 21 safe_str, safe_int
22 22 from rhodecode.lib.auth import AuthUser, get_container_username, authfunc,\
23 HasPermissionAnyMiddleware, CookieStoreWrapper, check_ip_access
23 HasPermissionAnyMiddleware, CookieStoreWrapper
24 24 from rhodecode.lib.utils import get_repo_slug, invalidate_cache
25 25 from rhodecode.model import meta
26 26
@@ -146,10 +146,8 b' class BaseVCSController(object):'
146 146 :param repo_name: repository name
147 147 """
148 148 #check IP
149 allowed_ips = AuthUser.get_allowed_ips(user.user_id)
150 if check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips) is False:
151 log.info('Access for IP:%s forbidden, '
152 'not in %s' % (ip_addr, allowed_ips))
149 authuser = AuthUser(user_id=user.user_id, ip_addr=ip_addr)
150 if not authuser.ip_allowed:
153 151 return False
154 152 else:
155 153 log.info('Access for IP:%s allowed' % (ip_addr))
@@ -536,6 +536,7 b' class UserIpMap(Base, BaseModel):'
536 536 ip_id = Column("ip_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
537 537 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
538 538 ip_addr = Column("ip_addr", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=False, default=None)
539 active = Column("active", Boolean(), nullable=True, unique=None, default=True)
539 540 user = relationship('User', lazy='joined')
540 541
541 542 @classmethod
@@ -27,7 +27,6 b' import logging'
27 27 import traceback
28 28 import itertools
29 29 import collections
30 import functools
31 30 from pylons import url
32 31 from pylons.i18n.translation import _
33 32
@@ -2002,7 +2002,6 b' a.metatag[tag="license"]:hover {'
2002 2002 }
2003 2003
2004 2004 #login div.title {
2005 width: 420px;
2006 2005 clear: both;
2007 2006 overflow: hidden;
2008 2007 position: relative;
@@ -2021,7 +2020,6 b' a.metatag[tag="license"]:hover {'
2021 2020 }
2022 2021
2023 2022 #login div.inner {
2024 width: 380px;
2025 2023 background: #FFF url("../images/login.png") no-repeat top left;
2026 2024 border-top: none;
2027 2025 border-bottom: none;
@@ -2038,7 +2036,6 b' a.metatag[tag="license"]:hover {'
2038 2036 }
2039 2037
2040 2038 #login div.form div.fields div.field div.input input {
2041 width: 176px;
2042 2039 background: #FFF;
2043 2040 border-top: 1px solid #b3b3b3;
2044 2041 border-left: 1px solid #b3b3b3;
General Comments 0
You need to be logged in to leave comments. Login now