kallithea Changeset - 077ba994ee03

Changeset - 077ba994ee03

Parent rev.

Child rev.

[Not reviewed]

default

0 5 0

Mads Kiilerich - 7 years ago 2019-01-03 01:22:45
mads@kiilerich.com

auth: introduce AuthUser.make factory which can return None if user can't be authenticated

5 files changed with 62 insertions and 52 deletions:

kallithea/controllers/api/__init__.py

kallithea/controllers/login.py

kallithea/lib/auth.py

kallithea/lib/auth_modules/__init__.py

kallithea/lib/base.py

0 comments (0 inline, 0 general)

kallithea/controllers/api/__init__.py

➞

Show inline comments

@@ @@ -143,27 +143,28 @@ class JSONRPCController(TGController): @@
             raise JSONRPCErrorResponse(retid=self._req_id,
                                        message='Incorrect JSON query missing %s' % e)
         # check if we can find this session using api_key
         try:
             u = User.get_by_api_key(self._req_api_key)
             if u is None:
             auth_user = AuthUser.make(dbuser=u)
             if auth_user is None:
                 raise JSONRPCErrorResponse(retid=self._req_id,
                                            message='Invalid API key')
             auth_u = AuthUser(dbuser=u)
             if not AuthUser.check_ip_allowed(auth_u, ip_addr):
             if not AuthUser.check_ip_allowed(auth_user, ip_addr):
                 raise JSONRPCErrorResponse(retid=self._req_id,
                                            message='request from IP:%s not allowed' % (ip_addr,))
             else:
                 log.info('Access for IP:%s allowed', ip_addr)
         except Exception as e:
             raise JSONRPCErrorResponse(retid=self._req_id,
                                        message='Invalid API key')
         request.authuser = auth_user
         self._error = None
         try:
             self._func = self._find_method()
         except AttributeError as e:
             raise JSONRPCErrorResponse(retid=self._req_id,
                                        message=str(e))
@@ @@ -176,17 +177,12 @@ class JSONRPCController(TGController): @@
         default_empty = types.NotImplementedType
         # kw arguments required by this method
         func_kwargs = dict(itertools.izip_longest(reversed(arglist), reversed(defaults),
                                                   fillvalue=default_empty))
         # this is little trick to inject logged in user for
         # perms decorators to work they expect the controller class to have
         # authuser attribute set
         request.authuser = auth_u
         # This attribute will need to be first param of a method that uses
         # api_key, which is translated to instance of user at that name
         USER_SESSION_ATTR = 'apiuser'
         # get our arglist and check if we provided them as args
         for arg, default in func_kwargs.iteritems():

kallithea/controllers/login.py

➞

Show inline comments

@@ @@ -99,14 +99,14 @@ class LoginController(BaseController): @@
                 # container auth or other auth functions that create users on
                 # the fly can throw this exception signaling that there's issue
                 # with user creation, explanation should be provided in
                 # Exception itself
                 h.flash(e, 'error')
             else:
                 log_in_user(user, c.form_result['remember'],
                     is_external_auth=False)
                 auth_user = log_in_user(user, c.form_result['remember'], is_external_auth=False)
                 # TODO: handle auth_user is None as failed authentication?
                 raise HTTPFound(location=c.came_from)
         else:
             # redirect if already logged in
             if not request.authuser.is_anonymous:
                 raise HTTPFound(location=c.came_from)
             # continue to show login to default user

kallithea/lib/auth.py

➞

Show inline comments

@@ @@ -395,12 +395,26 @@ class AuthUser(object): @@
     only happen on the login page (as all other requests are redirected).
     `is_default_user` specifically checks if the AuthUser is the user named
     "default". Use `is_anonymous` to check for both "default" and "no user".
     """
     @classmethod
     def make(cls, dbuser=None, authenticating_api_key=None, is_external_auth=False):
         """Create an AuthUser to be authenticated ... or return None if user for some reason can't be authenticated.
         Checks that a non-None dbuser is provided and is active.
         """
         if dbuser is None:
             log.info('No db user for authentication')
             return None
         if not dbuser.active:
             log.info('Db user %s not active', dbuser.username)
             return None
         return cls(dbuser=dbuser, authenticating_api_key=authenticating_api_key,
             is_external_auth=is_external_auth)
     def __init__(self, user_id=None, dbuser=None, authenticating_api_key=None,
             is_external_auth=False):
         self.is_external_auth = is_external_auth # container auth - don't show logout option
         self.authenticating_api_key = authenticating_api_key
         # These attributes will be overridden by fill_data, below, unless the
@@ @@ -572,20 +586,18 @@ class AuthUser(object): @@
             'is_external_auth': self.is_external_auth,
+        }
     @staticmethod
     def from_cookie(cookie):
         """
         Deserializes an `AuthUser` from a cookie `dict`.
+        Deserializes an `AuthUser` from a cookie `dict` ... or return None.
         """
         au = AuthUser(
             user_id=cookie.get('user_id'),
         return AuthUser.make(
             dbuser=UserModel().get(cookie.get('user_id')),
             is_external_auth=cookie.get('is_external_auth', False),
+        )
         return au
     @classmethod
     def get_allowed_ips(cls, user_id, cache=False):
         _set = set()
         default_ips = UserIpMap.query().filter(UserIpMap.user_id ==
@@ @@ -868,24 +880,23 @@ class HasUserGroupPermissionLevel(_PermF @@
 #==============================================================================
 class HasPermissionAnyMiddleware(object):
     def __init__(self, *perms):
         self.required_perms = set(perms)
-    def __call__(self, user, repo_name, purpose=None):
+    def __call__(self, authuser, repo_name, purpose=None):
         # repo_name MUST be unicode, since we handle keys in ok
         # dict by unicode
         repo_name = safe_unicode(repo_name)
         user = AuthUser(user.user_id)
         try:
-            ok = user.permissions['repositories'][repo_name] in self.required_perms
+            ok = authuser.permissions['repositories'][repo_name] in self.required_perms
         except KeyError:
             ok = False
-        log.debug('Middleware check %s for %s for repo %s (%s): %s', user.username, self.required_perms, repo_name, purpose, ok)
+        log.debug('Middleware check %s for %s for repo %s (%s): %s', authuser.username, self.required_perms, repo_name, purpose, ok)
         return ok
 def check_ip_access(source_ip, allowed_ips=None):
     """
     Checks if source_ip is a subnet of any of allowed_ips.

kallithea/lib/auth_modules/__init__.py

➞

Show inline comments

@@ @@ -359,13 +359,13 @@ def authenticate(username, password, env @@
         # use plugin's method of user extraction.
         user = plugin.get_user(username, environ=environ,
                                settings=plugin_settings)
         log.debug('Plugin %s extracted user `%s`', module, user)
         if user is not None and not user.active:
+        if user is not None and not user.active: # give up, way before creating AuthUser
             log.error("Rejecting authentication of in-active user %s", user)
             continue
         if not plugin.accepts(user):
             log.debug('Plugin %s does not accept user `%s` for authentication',
                       module, user)

kallithea/lib/base.py

➞

Show inline comments

@@ @@ -114,20 +114,22 @@ def log_in_user(user, remember, is_exter @@
     Log a `User` in and update session and cookies. If `remember` is True,
     the session cookie is set to expire in a year; otherwise, it expires at
     the end of the browser session.
     Returns populated `AuthUser` object.
     """
     # It should not be possible to explicitly log in as the default user.
     assert not user.is_default_user, user
     auth_user = AuthUser.make(dbuser=user, is_external_auth=is_external_auth)
     if auth_user is None:
         return None
     user.update_lastlogin()
     meta.Session().commit()
     auth_user = AuthUser(dbuser=user,
                          is_external_auth=is_external_auth)
     # It should not be possible to explicitly log in as the default user.
     assert not auth_user.is_default_user
     # Start new session to prevent session fixation attacks.
     session.invalidate()
     session['authuser'] = cookie = auth_user.to_cookie()
     # If they want to be remembered, update the cookie.
     # NOTE: Assumes that beaker defaults to browser session cookie.
@@ @@ -207,24 +209,21 @@ class BaseVCSController(object): @@
         inspection, or by using container authentication to delegate the
         authentication to the web server.
         Returns (user, None) on successful authentication and authorization.
         Returns (None, wsgi_app) to send the wsgi_app response to the client.
         """
-        # Check if anonymous access is allowed.
+        # Use anonymous access if allowed for action on repo.
         default_user = User.get_default_user(cache=True)
         is_default_user_allowed = (default_user.active and
             self._check_permission(action, default_user, repo_name, ip_addr))
         if is_default_user_allowed:
             return default_user, None
         if not default_user.active:
             log.debug('Anonymous access is disabled')
         default_authuser = AuthUser.make(dbuser=default_user)
         if default_authuser is None:
             log.debug('No anonymous access at all') # move on to proper user auth
         else:
             log.debug('Not authorized to access this '
                       'repository as anonymous user')
             if self._check_permission(action, default_authuser, repo_name, ip_addr):
                 return default_authuser, None
             log.debug('Not authorized to access this repository as anonymous user')
         username = None
         #==============================================================
         # DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE
         # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS
         #==============================================================
@@ @@ -249,21 +248,20 @@ class BaseVCSController(object): @@
         #==============================================================
         # CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME
         #==============================================================
         try:
             user = User.get_by_username_or_email(username)
             if user is None or not user.active:
                 return None, webob.exc.HTTPForbidden()
         except Exception:
             log.error(traceback.format_exc())
             return None, webob.exc.HTTPInternalServerError()
         # check permissions for this repository
         perm = self._check_permission(action, user, repo_name, ip_addr)
         if not perm:
         authuser = AuthUser.make(dbuser=user)
         if authuser is None:
             return None, webob.exc.HTTPForbidden()
         if not self._check_permission(action, authuser, repo_name, ip_addr):
             return None, webob.exc.HTTPForbidden()
         return user, None
     def _handle_request(self, environ, start_response):
         raise NotImplementedError()
@@ @@ -282,39 +280,39 @@ class BaseVCSController(object): @@
             by_id_match = get_repo_by_id(repo_name)
             if by_id_match:
                 data[1] = safe_str(by_id_match)
         return '/'.join(data)
-    def _check_permission(self, action, user, repo_name, ip_addr=None):
+    def _check_permission(self, action, authuser, repo_name, ip_addr=None):
         """
         Checks permissions using action (push/pull) user and repository
         name
         :param action: 'push' or 'pull' action
         :param user: `User` instance
         :param repo_name: repository name
         """
         # check IP
-        ip_allowed = AuthUser.check_ip_allowed(user, ip_addr)
+        ip_allowed = AuthUser.check_ip_allowed(authuser, ip_addr)
         if ip_allowed:
             log.info('Access for IP:%s allowed', ip_addr)
         else:
             return False
         if action == 'push':
             if not HasPermissionAnyMiddleware('repository.write',
-                                              'repository.admin')(user,
+                                              'repository.admin')(authuser,
                                                                   repo_name):
                 return False
         else:
             #any other action need at least read permission
             if not HasPermissionAnyMiddleware('repository.read',
                                               'repository.write',
-                                              'repository.admin')(user,
+                                              'repository.admin')(authuser,
                                                                   repo_name):
                 return False
         return True
     def _get_ip_addr(self, environ):
@@ @@ -389,23 +387,24 @@ class BaseController(TGController): @@
     @staticmethod
     def _determine_auth_user(api_key, bearer_token, session_authuser):
         """
         Create an `AuthUser` object given the API key/bearer token
         (if any) and the value of the authuser session cookie.
         Returns None if no valid user is found (like not active).
         """
         # Authenticate by bearer token
         if bearer_token is not None:
             api_key = bearer_token
         # Authenticate by API key
         if api_key is not None:
             au = AuthUser(dbuser=User.get_by_api_key(api_key),
                 authenticating_api_key=api_key, is_external_auth=True)
             if au.is_anonymous:
             dbuser = User.get_by_api_key(api_key)
             au = AuthUser.make(dbuser=dbuser, authenticating_api_key=api_key, is_external_auth=True)
             if au is None or au.is_anonymous:
                 log.warning('API key ****%s is NOT valid', api_key[-4:])
                 raise webob.exc.HTTPForbidden(_('Invalid API key'))
             return au
         # Authenticate by session cookie
         # In ancient login sessions, 'authuser' may not be a dict.
@@ @@ -426,18 +425,20 @@ class BaseController(TGController): @@
                 from kallithea.lib import helpers as h
                 h.flash(e, 'error', logf=log.error)
             else:
                 if user_info is not None:
                     username = user_info['username']
                     user = User.get_by_username(username, case_insensitive=True)
                     return log_in_user(user, remember=False,
                                        is_external_auth=True)
                     return log_in_user(user, remember=False, is_external_auth=True)
         # User is default user (if active) or anonymous
         default_user = User.get_default_user(cache=True)
         return AuthUser(dbuser=default_user)
         authuser = AuthUser.make(dbuser=default_user)
         if authuser is None: # fall back to anonymous
             authuser = AuthUser(dbuser=default_user) # TODO: somehow use .make?
         return authuser
     @staticmethod
     def _basic_security_checks():
         """Perform basic security/sanity checks before processing the request."""
         # Only allow the following HTTP request methods.
@@ @@ -487,13 +488,15 @@ class BaseController(TGController): @@
             authuser = self._determine_auth_user(
                 request.GET.get('api_key'),
                 bearer_token,
                 session.get('authuser'),
+            )
             if authuser is None:
                 log.info('No valid user found')
                 raise webob.exc.HTTPForbidden()
             if not AuthUser.check_ip_allowed(authuser, request.ip_addr):
                 raise webob.exc.HTTPForbidden()
             request.authuser = authuser
             log.info('IP: %s User: %s accessed %s',

0 comments (0 inline, 0 general)