##// END OF EJS Templates
upstream » kallithea
RSS

Clone from https://kallithea-scm.org/repos/kallithea

auth: always consider the repo group owner an admin when computing it's permissions...
Mads Kiilerich -
r8770:e27ff6a9 stable
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,723 +1,726 b''
1 1 # -*- coding: utf-8 -*-
2 2 # This program is free software: you can redistribute it and/or modify
3 3 # it under the terms of the GNU General Public License as published by
4 4 # the Free Software Foundation, either version 3 of the License, or
5 5 # (at your option) any later version.
6 6 #
7 7 # This program is distributed in the hope that it will be useful,
8 8 # but WITHOUT ANY WARRANTY; without even the implied warranty of
9 9 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 10 # GNU General Public License for more details.
11 11 #
12 12 # You should have received a copy of the GNU General Public License
13 13 # along with this program. If not, see <http://www.gnu.org/licenses/>.
14 14 """
15 15 kallithea.lib.auth
16 16 ~~~~~~~~~~~~~~~~~~
17 17
18 18 authentication and permission libraries
19 19
20 20 This file was forked by the Kallithea project in July 2014.
21 21 Original author and date, and relevant copyright and licensing information is below:
22 22 :created_on: Apr 4, 2010
23 23 :author: marcink
24 24 :copyright: (c) 2013 RhodeCode GmbH, and others.
25 25 :license: GPLv3, see LICENSE.md for more details.
26 26 """
27 27 import itertools
28 28 import logging
29 29
30 30 import ipaddr
31 31 from decorator import decorator
32 32 from sqlalchemy.orm import joinedload
33 33 from sqlalchemy.orm.exc import ObjectDeletedError
34 34 from tg import request
35 35 from tg.i18n import ugettext as _
36 36 from webob.exc import HTTPForbidden, HTTPFound
37 37
38 38 import kallithea
39 39 from kallithea.lib import webutils
40 40 from kallithea.lib.utils import get_repo_group_slug, get_repo_slug, get_user_group_slug
41 41 from kallithea.lib.vcs.utils.lazy import LazyProperty
42 42 from kallithea.lib.webutils import url
43 43 from kallithea.model import db, meta
44 44 from kallithea.model.user import UserModel
45 45
46 46
47 47 log = logging.getLogger(__name__)
48 48
49 49
50 50 PERM_WEIGHTS = db.Permission.PERM_WEIGHTS
51 51
52 52 def bump_permission(permissions, key, new_perm):
53 53 """Add a new permission for key to permissions.
54 54 Assuming the permissions are comparable, set the new permission if it
55 55 has higher weight, else drop it and keep the old permission.
56 56 """
57 57 cur_perm = permissions[key]
58 58 new_perm_val = PERM_WEIGHTS[new_perm]
59 59 cur_perm_val = PERM_WEIGHTS[cur_perm]
60 60 if new_perm_val > cur_perm_val:
61 61 permissions[key] = new_perm
62 62
63 63 class AuthUser(object):
64 64 """
65 65 Represents a Kallithea user, including various authentication and
66 66 authorization information. Typically used to store the current user,
67 67 but is also used as a generic user information data structure in
68 68 parts of the code, e.g. user management.
69 69
70 70 Constructed from a database `User` object, a user ID or cookie dict,
71 71 it looks up the user (if needed) and copies all attributes to itself,
72 72 adding various non-persistent data. If lookup fails but anonymous
73 73 access to Kallithea is enabled, the default user is loaded instead.
74 74
75 75 `AuthUser` does not by itself authenticate users. It's up to other parts of
76 76 the code to check e.g. if a supplied password is correct, and if so, trust
77 77 the AuthUser object as an authenticated user.
78 78
79 79 However, `AuthUser` does refuse to load a user that is not `active`.
80 80
81 81 Note that Kallithea distinguishes between the default user (an actual
82 82 user in the database with username "default") and "no user" (no actual
83 83 User object, AuthUser filled with blank values and username "None").
84 84
85 85 If the default user is active, that will always be used instead of
86 86 "no user". On the other hand, if the default user is disabled (and
87 87 there is no login information), we instead get "no user"; this should
88 88 only happen on the login page (as all other requests are redirected).
89 89
90 90 `is_default_user` specifically checks if the AuthUser is the user named
91 91 "default". Use `is_anonymous` to check for both "default" and "no user".
92 92 """
93 93
94 94 @classmethod
95 95 def make(cls, dbuser=None, is_external_auth=False, ip_addr=None):
96 96 """Create an AuthUser to be authenticated ... or return None if user for some reason can't be authenticated.
97 97 Checks that a non-None dbuser is provided, is active, and that the IP address is ok.
98 98 """
99 99 assert ip_addr is not None
100 100 if dbuser is None:
101 101 log.info('No db user for authentication')
102 102 return None
103 103 if not dbuser.active:
104 104 log.info('Db user %s not active', dbuser.username)
105 105 return None
106 106 allowed_ips = AuthUser.get_allowed_ips(dbuser.user_id)
107 107 if not check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips):
108 108 log.info('Access for %s from %s forbidden - not in %s', dbuser.username, ip_addr, allowed_ips)
109 109 return None
110 110 return cls(dbuser=dbuser, is_external_auth=is_external_auth)
111 111
112 112 def __init__(self, user_id=None, dbuser=None, is_external_auth=False):
113 113 self.is_external_auth = is_external_auth # container auth - don't show logout option
114 114
115 115 # These attributes will be overridden below if the requested user is
116 116 # found or anonymous access (using the default user) is enabled.
117 117 self.user_id = None
118 118 self.username = None
119 119 self.api_key = None
120 120 self.name = ''
121 121 self.lastname = ''
122 122 self.email = ''
123 123 self.admin = False
124 124
125 125 # Look up database user, if necessary.
126 126 if user_id is not None:
127 127 assert dbuser is None
128 128 log.debug('Auth User lookup by USER ID %s', user_id)
129 129 dbuser = UserModel().get(user_id)
130 130 assert dbuser is not None
131 131 else:
132 132 assert dbuser is not None
133 133 log.debug('Auth User lookup by database user %s', dbuser)
134 134
135 135 log.debug('filling %s data', dbuser)
136 136 self.is_anonymous = dbuser.is_default_user
137 137 if dbuser.is_default_user and not dbuser.active:
138 138 self.username = 'None'
139 139 self.is_default_user = False
140 140 else:
141 141 # copy non-confidential database fields from a `db.User` to this `AuthUser`.
142 142 for k, v in dbuser.get_dict().items():
143 143 assert k not in ['api_keys', 'permissions']
144 144 setattr(self, k, v)
145 145 self.is_default_user = dbuser.is_default_user
146 146 log.debug('Auth User is now %s', self)
147 147
148 148 @LazyProperty
149 149 def global_permissions(self):
150 150 log.debug('Getting global permissions for %s', self)
151 151
152 152 if self.is_admin:
153 153 return set(['hg.admin'])
154 154
155 155 global_permissions = set()
156 156
157 157 # default global permissions from the default user
158 158 default_global_perms = db.UserToPerm.query() \
159 159 .filter(db.UserToPerm.user_id == kallithea.DEFAULT_USER_ID) \
160 160 .options(joinedload(db.UserToPerm.permission))
161 161 for perm in default_global_perms:
162 162 global_permissions.add(perm.permission.permission_name)
163 163
164 164 # user group global permissions
165 165 user_perms_from_users_groups = meta.Session().query(db.UserGroupToPerm) \
166 166 .options(joinedload(db.UserGroupToPerm.permission)) \
167 167 .join((db.UserGroupMember, db.UserGroupToPerm.users_group_id ==
168 168 db.UserGroupMember.users_group_id)) \
169 169 .filter(db.UserGroupMember.user_id == self.user_id) \
170 170 .join((db.UserGroup, db.UserGroupMember.users_group_id ==
171 171 db.UserGroup.users_group_id)) \
172 172 .filter(db.UserGroup.users_group_active == True) \
173 173 .order_by(db.UserGroupToPerm.users_group_id) \
174 174 .all()
175 175 # need to group here by groups since user can be in more than
176 176 # one group
177 177 _grouped = [[x, list(y)] for x, y in
178 178 itertools.groupby(user_perms_from_users_groups,
179 179 lambda x:x.users_group)]
180 180 for gr, perms in _grouped:
181 181 for perm in perms:
182 182 global_permissions.add(perm.permission.permission_name)
183 183
184 184 # user specific global permissions
185 185 user_perms = meta.Session().query(db.UserToPerm) \
186 186 .options(joinedload(db.UserToPerm.permission)) \
187 187 .filter(db.UserToPerm.user_id == self.user_id).all()
188 188 for perm in user_perms:
189 189 global_permissions.add(perm.permission.permission_name)
190 190
191 191 # for each kind of global permissions, only keep the one with heighest weight
192 192 kind_max_perm = {}
193 193 for perm in sorted(global_permissions, key=lambda n: PERM_WEIGHTS.get(n, -1)):
194 194 kind = perm.rsplit('.', 1)[0]
195 195 kind_max_perm[kind] = perm
196 196 return set(kind_max_perm.values())
197 197
198 198 @LazyProperty
199 199 def repository_permissions(self):
200 200 log.debug('Getting repository permissions for %s', self)
201 201 repository_permissions = {}
202 202 default_repo_perms = db.Permission.get_default_perms(kallithea.DEFAULT_USER_ID)
203 203
204 204 if self.is_admin:
205 205 for perm in default_repo_perms:
206 206 r_k = perm.repository.repo_name
207 207 p = 'repository.admin'
208 208 repository_permissions[r_k] = p
209 209
210 210 else:
211 211 # defaults for repositories from default user
212 212 for perm in default_repo_perms:
213 213 r_k = perm.repository.repo_name
214 214 if perm.repository.owner_id == self.user_id:
215 215 p = 'repository.admin'
216 216 elif perm.repository.private:
217 217 p = 'repository.none'
218 218 else:
219 219 p = perm.permission.permission_name
220 220 repository_permissions[r_k] = p
221 221
222 222 # user group repository permissions
223 223 user_repo_perms_from_users_groups = \
224 224 meta.Session().query(db.UserGroupRepoToPerm) \
225 225 .join((db.UserGroup, db.UserGroupRepoToPerm.users_group_id ==
226 226 db.UserGroup.users_group_id)) \
227 227 .filter(db.UserGroup.users_group_active == True) \
228 228 .join((db.UserGroupMember, db.UserGroupRepoToPerm.users_group_id ==
229 229 db.UserGroupMember.users_group_id)) \
230 230 .filter(db.UserGroupMember.user_id == self.user_id) \
231 231 .options(joinedload(db.UserGroupRepoToPerm.repository)) \
232 232 .options(joinedload(db.UserGroupRepoToPerm.permission)) \
233 233 .all()
234 234 for perm in user_repo_perms_from_users_groups:
235 235 bump_permission(repository_permissions,
236 236 perm.repository.repo_name,
237 237 perm.permission.permission_name)
238 238
239 239 # user permissions for repositories
240 240 user_repo_perms = db.Permission.get_default_perms(self.user_id)
241 241 for perm in user_repo_perms:
242 242 bump_permission(repository_permissions,
243 243 perm.repository.repo_name,
244 244 perm.permission.permission_name)
245 245
246 246 return repository_permissions
247 247
248 248 @LazyProperty
249 249 def repository_group_permissions(self):
250 250 log.debug('Getting repository group permissions for %s', self)
251 251 repository_group_permissions = {}
252 252 default_repo_groups_perms = db.Permission.get_default_group_perms(kallithea.DEFAULT_USER_ID)
253 253
254 254 if self.is_admin:
255 255 for perm in default_repo_groups_perms:
256 256 rg_k = perm.group.group_name
257 257 p = 'group.admin'
258 258 repository_group_permissions[rg_k] = p
259 259
260 260 else:
261 261 # defaults for repository groups taken from default user permission
262 262 # on given group
263 263 for perm in default_repo_groups_perms:
264 264 rg_k = perm.group.group_name
265 p = perm.permission.permission_name
265 if perm.group.owner_id == self.user_id:
266 p = 'group.admin'
267 else:
268 p = perm.permission.permission_name
266 269 repository_group_permissions[rg_k] = p
267 270
268 271 # user group for repo groups permissions
269 272 user_repo_group_perms_from_users_groups = \
270 273 meta.Session().query(db.UserGroupRepoGroupToPerm) \
271 274 .join((db.UserGroup, db.UserGroupRepoGroupToPerm.users_group_id ==
272 275 db.UserGroup.users_group_id)) \
273 276 .filter(db.UserGroup.users_group_active == True) \
274 277 .join((db.UserGroupMember, db.UserGroupRepoGroupToPerm.users_group_id
275 278 == db.UserGroupMember.users_group_id)) \
276 279 .filter(db.UserGroupMember.user_id == self.user_id) \
277 280 .options(joinedload(db.UserGroupRepoGroupToPerm.permission)) \
278 281 .all()
279 282 for perm in user_repo_group_perms_from_users_groups:
280 283 bump_permission(repository_group_permissions,
281 284 perm.group.group_name,
282 285 perm.permission.permission_name)
283 286
284 287 # user explicit permissions for repository groups
285 288 user_repo_groups_perms = db.Permission.get_default_group_perms(self.user_id)
286 289 for perm in user_repo_groups_perms:
287 290 bump_permission(repository_group_permissions,
288 291 perm.group.group_name,
289 292 perm.permission.permission_name)
290 293
291 294 return repository_group_permissions
292 295
293 296 @LazyProperty
294 297 def user_group_permissions(self):
295 298 log.debug('Getting user group permissions for %s', self)
296 299 user_group_permissions = {}
297 300 default_user_group_perms = db.Permission.get_default_user_group_perms(kallithea.DEFAULT_USER_ID)
298 301
299 302 if self.is_admin:
300 303 for perm in default_user_group_perms:
301 304 u_k = perm.user_group.users_group_name
302 305 p = 'usergroup.admin'
303 306 user_group_permissions[u_k] = p
304 307
305 308 else:
306 309 # defaults for user groups taken from default user permission
307 310 # on given user group
308 311 for perm in default_user_group_perms:
309 312 u_k = perm.user_group.users_group_name
310 313 p = perm.permission.permission_name
311 314 user_group_permissions[u_k] = p
312 315
313 316 # user group for user group permissions
314 317 user_group_user_groups_perms = \
315 318 meta.Session().query(db.UserGroupUserGroupToPerm) \
316 319 .join((db.UserGroup, db.UserGroupUserGroupToPerm.target_user_group_id
317 320 == db.UserGroup.users_group_id)) \
318 321 .join((db.UserGroupMember, db.UserGroupUserGroupToPerm.user_group_id
319 322 == db.UserGroupMember.users_group_id)) \
320 323 .filter(db.UserGroupMember.user_id == self.user_id) \
321 324 .join((db.UserGroup, db.UserGroupMember.users_group_id ==
322 325 db.UserGroup.users_group_id), aliased=True, from_joinpoint=True) \
323 326 .filter(db.UserGroup.users_group_active == True) \
324 327 .options(joinedload(db.UserGroupUserGroupToPerm.permission)) \
325 328 .all()
326 329 for perm in user_group_user_groups_perms:
327 330 bump_permission(user_group_permissions,
328 331 perm.target_user_group.users_group_name,
329 332 perm.permission.permission_name)
330 333
331 334 # user explicit permission for user groups
332 335 user_user_groups_perms = db.Permission.get_default_user_group_perms(self.user_id)
333 336 for perm in user_user_groups_perms:
334 337 bump_permission(user_group_permissions,
335 338 perm.user_group.users_group_name,
336 339 perm.permission.permission_name)
337 340
338 341 return user_group_permissions
339 342
340 343 @LazyProperty
341 344 def permissions(self):
342 345 """dict with all 4 kind of permissions - mainly for backwards compatibility"""
343 346 return {
344 347 'global': self.global_permissions,
345 348 'repositories': self.repository_permissions,
346 349 'repositories_groups': self.repository_group_permissions,
347 350 'user_groups': self.user_group_permissions,
348 351 }
349 352
350 353 def has_repository_permission_level(self, repo_name, level, purpose=None):
351 354 required_perms = {
352 355 'read': ['repository.read', 'repository.write', 'repository.admin'],
353 356 'write': ['repository.write', 'repository.admin'],
354 357 'admin': ['repository.admin'],
355 358 }[level]
356 359 actual_perm = self.repository_permissions.get(repo_name)
357 360 ok = actual_perm in required_perms
358 361 log.debug('Checking if user %r can %r repo %r (%s): %s (has %r)',
359 362 self.username, level, repo_name, purpose, ok, actual_perm)
360 363 return ok
361 364
362 365 def has_repository_group_permission_level(self, repo_group_name, level, purpose=None):
363 366 required_perms = {
364 367 'read': ['group.read', 'group.write', 'group.admin'],
365 368 'write': ['group.write', 'group.admin'],
366 369 'admin': ['group.admin'],
367 370 }[level]
368 371 actual_perm = self.repository_group_permissions.get(repo_group_name)
369 372 ok = actual_perm in required_perms
370 373 log.debug('Checking if user %r can %r repo group %r (%s): %s (has %r)',
371 374 self.username, level, repo_group_name, purpose, ok, actual_perm)
372 375 return ok
373 376
374 377 def has_user_group_permission_level(self, user_group_name, level, purpose=None):
375 378 required_perms = {
376 379 'read': ['usergroup.read', 'usergroup.write', 'usergroup.admin'],
377 380 'write': ['usergroup.write', 'usergroup.admin'],
378 381 'admin': ['usergroup.admin'],
379 382 }[level]
380 383 actual_perm = self.user_group_permissions.get(user_group_name)
381 384 ok = actual_perm in required_perms
382 385 log.debug('Checking if user %r can %r user group %r (%s): %s (has %r)',
383 386 self.username, level, user_group_name, purpose, ok, actual_perm)
384 387 return ok
385 388
386 389 @property
387 390 def api_keys(self):
388 391 return self._get_api_keys()
389 392
390 393 def _get_api_keys(self):
391 394 api_keys = [self.api_key]
392 395 for api_key in db.UserApiKeys.query() \
393 396 .filter_by(user_id=self.user_id, is_expired=False):
394 397 api_keys.append(api_key.api_key)
395 398
396 399 return api_keys
397 400
398 401 @property
399 402 def is_admin(self):
400 403 return self.admin
401 404
402 405 @property
403 406 def repositories_admin(self):
404 407 """
405 408 Returns list of repositories you're an admin of
406 409 """
407 410 return [x[0] for x in self.repository_permissions.items()
408 411 if x[1] == 'repository.admin']
409 412
410 413 @property
411 414 def repository_groups_admin(self):
412 415 """
413 416 Returns list of repository groups you're an admin of
414 417 """
415 418 return [x[0] for x in self.repository_group_permissions.items()
416 419 if x[1] == 'group.admin']
417 420
418 421 @property
419 422 def user_groups_admin(self):
420 423 """
421 424 Returns list of user groups you're an admin of
422 425 """
423 426 return [x[0] for x in self.user_group_permissions.items()
424 427 if x[1] == 'usergroup.admin']
425 428
426 429 def __repr__(self):
427 430 return "<%s %s: %r>" % (self.__class__.__name__, self.user_id, self.username)
428 431
429 432 def to_cookie(self):
430 433 """ Serializes this login session to a cookie `dict`. """
431 434 return {
432 435 'user_id': self.user_id,
433 436 'is_external_auth': self.is_external_auth,
434 437 }
435 438
436 439 @staticmethod
437 440 def from_cookie(cookie, ip_addr):
438 441 """
439 442 Deserializes an `AuthUser` from a cookie `dict` ... or return None.
440 443 """
441 444 return AuthUser.make(
442 445 dbuser=UserModel().get(cookie.get('user_id')),
443 446 is_external_auth=cookie.get('is_external_auth', False),
444 447 ip_addr=ip_addr,
445 448 )
446 449
447 450 @classmethod
448 451 def get_allowed_ips(cls, user_id):
449 452 _set = set()
450 453
451 454 default_ips = db.UserIpMap.query().filter(db.UserIpMap.user_id == kallithea.DEFAULT_USER_ID)
452 455 for ip in default_ips:
453 456 try:
454 457 _set.add(ip.ip_addr)
455 458 except ObjectDeletedError:
456 459 # since we use heavy caching sometimes it happens that we get
457 460 # deleted objects here, we just skip them
458 461 pass
459 462
460 463 user_ips = db.UserIpMap.query().filter(db.UserIpMap.user_id == user_id)
461 464 for ip in user_ips:
462 465 try:
463 466 _set.add(ip.ip_addr)
464 467 except ObjectDeletedError:
465 468 # since we use heavy caching sometimes it happens that we get
466 469 # deleted objects here, we just skip them
467 470 pass
468 471 return _set or set(['0.0.0.0/0', '::/0'])
469 472
470 473 def get_all_user_repos(self):
471 474 """
472 475 Gets all repositories that user have at least read access
473 476 """
474 477 repos = [repo_name
475 478 for repo_name, perm in self.repository_permissions.items()
476 479 if perm in ['repository.read', 'repository.write', 'repository.admin']
477 480 ]
478 481 return db.Repository.query().filter(db.Repository.repo_name.in_(repos))
479 482
480 483
481 484 #==============================================================================
482 485 # CHECK DECORATORS
483 486 #==============================================================================
484 487
485 488 def _redirect_to_login(message=None):
486 489 """Return an exception that must be raised. It will redirect to the login
487 490 page which will redirect back to the current URL after authentication.
488 491 The optional message will be shown in a flash message."""
489 492 if message:
490 493 webutils.flash(message, category='warning')
491 494 p = request.path_qs
492 495 log.debug('Redirecting to login page, origin: %s', p)
493 496 return HTTPFound(location=url('login_home', came_from=p))
494 497
495 498
496 499 # Use as decorator
497 500 class LoginRequired(object):
498 501 """Client must be logged in as a valid User, or we'll redirect to the login
499 502 page.
500 503
501 504 If the "default" user is enabled and allow_default_user is true, that is
502 505 considered valid too.
503 506
504 507 Also checks that IP address is allowed.
505 508 """
506 509
507 510 def __init__(self, allow_default_user=False):
508 511 self.allow_default_user = allow_default_user
509 512
510 513 def __call__(self, func):
511 514 return decorator(self.__wrapper, func)
512 515
513 516 def __wrapper(self, func, *fargs, **fkwargs):
514 517 controller = fargs[0]
515 518 user = request.authuser
516 519 loc = "%s:%s" % (controller.__class__.__name__, func.__name__)
517 520 log.debug('Checking access for user %s @ %s', user, loc)
518 521
519 522 # regular user authentication
520 523 if user.is_default_user:
521 524 if self.allow_default_user:
522 525 log.info('default user @ %s', loc)
523 526 return func(*fargs, **fkwargs)
524 527 log.info('default user is redirected to login @ %s', loc)
525 528 elif user.is_anonymous: # default user is disabled and no proper authentication
526 529 log.info('anonymous user is redirected to login @ %s', loc)
527 530 else: # regular authentication
528 531 log.info('user %s authenticated with regular auth @ %s', user, loc)
529 532 return func(*fargs, **fkwargs)
530 533 raise _redirect_to_login()
531 534
532 535
533 536 # Use as decorator
534 537 class NotAnonymous(object):
535 538 """Ensures that client is not logged in as the "default" user, and
536 539 redirects to the login page otherwise. Must be used together with
537 540 LoginRequired."""
538 541
539 542 def __call__(self, func):
540 543 return decorator(self.__wrapper, func)
541 544
542 545 def __wrapper(self, func, *fargs, **fkwargs):
543 546 cls = fargs[0]
544 547 user = request.authuser
545 548
546 549 log.debug('Checking that user %s is not anonymous @%s', user.username, cls)
547 550
548 551 if user.is_default_user:
549 552 raise _redirect_to_login(_('You need to be a registered user to '
550 553 'perform this action'))
551 554 else:
552 555 return func(*fargs, **fkwargs)
553 556
554 557
555 558 class _PermsDecorator(object):
556 559 """Base class for controller decorators with multiple permissions"""
557 560
558 561 def __init__(self, *required_perms):
559 562 self.required_perms = required_perms # usually very short - a list is thus fine
560 563
561 564 def __call__(self, func):
562 565 return decorator(self.__wrapper, func)
563 566
564 567 def __wrapper(self, func, *fargs, **fkwargs):
565 568 cls = fargs[0]
566 569 user = request.authuser
567 570 log.debug('checking %s permissions %s for %s %s',
568 571 self.__class__.__name__, self.required_perms, cls, user)
569 572
570 573 if self.check_permissions(user):
571 574 log.debug('Permission granted for %s %s', cls, user)
572 575 return func(*fargs, **fkwargs)
573 576
574 577 else:
575 578 log.info('Permission denied for %s %s', cls, user)
576 579 if user.is_default_user:
577 580 raise _redirect_to_login(_('You need to be signed in to view this page'))
578 581 else:
579 582 raise HTTPForbidden()
580 583
581 584 def check_permissions(self, user):
582 585 raise NotImplementedError()
583 586
584 587
585 588 class HasPermissionAnyDecorator(_PermsDecorator):
586 589 """
587 590 Checks the user has any of the given global permissions.
588 591 """
589 592
590 593 def check_permissions(self, user):
591 594 return any(p in user.global_permissions for p in self.required_perms)
592 595
593 596
594 597 class _PermDecorator(_PermsDecorator):
595 598 """Base class for controller decorators with a single permission"""
596 599
597 600 def __init__(self, required_perm):
598 601 _PermsDecorator.__init__(self, [required_perm])
599 602 self.required_perm = required_perm
600 603
601 604
602 605 class HasRepoPermissionLevelDecorator(_PermDecorator):
603 606 """
604 607 Checks the user has at least the specified permission level for the requested repository.
605 608 """
606 609
607 610 def check_permissions(self, user):
608 611 repo_name = get_repo_slug(request)
609 612 return user.has_repository_permission_level(repo_name, self.required_perm)
610 613
611 614
612 615 class HasRepoGroupPermissionLevelDecorator(_PermDecorator):
613 616 """
614 617 Checks the user has any of given permissions for the requested repository group.
615 618 """
616 619
617 620 def check_permissions(self, user):
618 621 repo_group_name = get_repo_group_slug(request)
619 622 return user.has_repository_group_permission_level(repo_group_name, self.required_perm)
620 623
621 624
622 625 class HasUserGroupPermissionLevelDecorator(_PermDecorator):
623 626 """
624 627 Checks for access permission for any of given predicates for specific
625 628 user group. In order to fulfill the request any of predicates must be meet
626 629 """
627 630
628 631 def check_permissions(self, user):
629 632 user_group_name = get_user_group_slug(request)
630 633 return user.has_user_group_permission_level(user_group_name, self.required_perm)
631 634
632 635
633 636 #==============================================================================
634 637 # CHECK FUNCTIONS
635 638 #==============================================================================
636 639
637 640 class _PermsFunction(object):
638 641 """Base function for other check functions with multiple permissions"""
639 642
640 643 def __init__(self, *required_perms):
641 644 self.required_perms = required_perms # usually very short - a list is thus fine
642 645
643 646 def __bool__(self):
644 647 """ Defend against accidentally forgetting to call the object
645 648 and instead evaluating it directly in a boolean context,
646 649 which could have security implications.
647 650 """
648 651 raise AssertionError(self.__class__.__name__ + ' is not a bool and must be called!')
649 652
650 653 def __call__(self, *a, **b):
651 654 raise NotImplementedError()
652 655
653 656
654 657 class HasPermissionAny(_PermsFunction):
655 658
656 659 def __call__(self, purpose=None):
657 660 ok = any(p in request.authuser.global_permissions for p in self.required_perms)
658 661
659 662 log.debug('Check %s for global %s (%s): %s',
660 663 request.authuser.username, self.required_perms, purpose, ok)
661 664 return ok
662 665
663 666
664 667 class _PermFunction(_PermsFunction):
665 668 """Base function for other check functions with a single permission"""
666 669
667 670 def __init__(self, required_perm):
668 671 _PermsFunction.__init__(self, [required_perm])
669 672 self.required_perm = required_perm
670 673
671 674
672 675 class HasRepoPermissionLevel(_PermFunction):
673 676
674 677 def __call__(self, repo_name, purpose=None):
675 678 return request.authuser.has_repository_permission_level(repo_name, self.required_perm, purpose)
676 679
677 680
678 681 class HasRepoGroupPermissionLevel(_PermFunction):
679 682
680 683 def __call__(self, group_name, purpose=None):
681 684 return request.authuser.has_repository_group_permission_level(group_name, self.required_perm, purpose)
682 685
683 686
684 687 class HasUserGroupPermissionLevel(_PermFunction):
685 688
686 689 def __call__(self, user_group_name, purpose=None):
687 690 return request.authuser.has_user_group_permission_level(user_group_name, self.required_perm, purpose)
688 691
689 692
690 693 #==============================================================================
691 694 # SPECIAL VERSION TO HANDLE MIDDLEWARE AUTH
692 695 #==============================================================================
693 696
694 697 class HasPermissionAnyMiddleware(object):
695 698 def __init__(self, *perms):
696 699 self.required_perms = set(perms)
697 700
698 701 def __call__(self, authuser, repo_name, purpose=None):
699 702 try:
700 703 ok = authuser.repository_permissions[repo_name] in self.required_perms
701 704 except KeyError:
702 705 ok = False
703 706
704 707 log.debug('Middleware check %s for %s for repo %s (%s): %s', authuser.username, self.required_perms, repo_name, purpose, ok)
705 708 return ok
706 709
707 710
708 711 def check_ip_access(source_ip, allowed_ips=None):
709 712 """
710 713 Checks if source_ip is a subnet of any of allowed_ips.
711 714
712 715 :param source_ip:
713 716 :param allowed_ips: list of allowed ips together with mask
714 717 """
715 718 source_ip = source_ip.split('%', 1)[0]
716 719 log.debug('checking if ip:%s is subnet of %s', source_ip, allowed_ips)
717 720 if isinstance(allowed_ips, (tuple, list, set)):
718 721 for ip in allowed_ips:
719 722 if ipaddr.IPAddress(source_ip) in ipaddr.IPNetwork(ip):
720 723 log.debug('IP %s is network %s',
721 724 ipaddr.IPAddress(source_ip), ipaddr.IPNetwork(ip))
722 725 return True
723 726 return False
General Comments 0
You need to be logged in to leave comments. Login now