kallithea Changeset - 78c7e8efe658

Changeset - 78c7e8efe658

Parent rev.

Child rev.

[Not reviewed]

beta

0 4 0

Marcin Kuzminski - 13 years ago 2013-04-15 01:46:32
marcin@python-works.com

new feature: API access white list definition from .ini files

4 files changed with 26 insertions and 3 deletions:

development.ini

production.ini

rhodecode/config/deployment.ini_tmpl

rhodecode/lib/auth.py

0 comments (0 inline, 0 general)

development.ini

➞

Show inline comments

@@ @@ -90,48 +90,54 @@ use_htsts = false @@
 commit_parse_limit = 25
 ## number of items displayed in lightweight dashboard before paginating is shown
 dashboard_items = 100
 ## use gravatar service to display avatars
 use_gravatar = true
 ## path to git executable
 git_path = git
 ## git rev filter option, --all is the default filter, if you need to
 ## hide all refs in changelog switch this to --branches --tags
 git_rev_filter=--all
 ## RSS feed options
 rss_cut_off_limit = 256000
 rss_items_per_page = 10
 rss_include_diff = false
 ## options for showing and identifying changesets
 show_sha_length = 12
 show_revision_number = true
 ## white list of API enabled controllers. This allows to add list of
 ## controllers to which access will be enabled by api_key. eg: to enable
 ## api access to raw_files put `FilesController:raw`, to enable access to patches
 ## add `ChangesetController:changeset_patch`. This list should be "," separated
 ## Syntax is <ControllerClass>:<function>. Check debug logs for generated names
 api_access_controllers_whitelist =
 ## alternative_gravatar_url allows you to use your own avatar server application
 ## the following parts of the URL will be replaced
 ## {email}        user email
 ## {md5email}     md5 hash of the user email (like at gravatar.com)
 ## {size}         size of the image that is expected from the server application
 ## {scheme}       http/https from RhodeCode server
 ## {netloc}       network location from RhodeCode server
 #alternative_gravatar_url = http://myavatarserver.com/getbyemail/{email}/{size}
 #alternative_gravatar_url = http://myavatarserver.com/getbymd5/{md5email}?s={size}
 ## container auth options
 container_auth_enabled = false
 proxypass_auth_enabled = false
 ## default encoding used to convert from and to unicode
 ## can be also a comma seperated list of encoding in case of mixed encodings
 default_encoding = utf8
 ## overwrite schema of clone url
 ## available vars:
 ## scheme - http/https
 ## user - current user

production.ini

➞

Show inline comments

@@ @@ -90,48 +90,54 @@ use_htsts = false @@
 commit_parse_limit = 25
 ## number of items displayed in lightweight dashboard before paginating is shown
 dashboard_items = 100
 ## use gravatar service to display avatars
 use_gravatar = true
 ## path to git executable
 git_path = git
 ## git rev filter option, --all is the default filter, if you need to
 ## hide all refs in changelog switch this to --branches --tags
 git_rev_filter=--all
 ## RSS feed options
 rss_cut_off_limit = 256000
 rss_items_per_page = 10
 rss_include_diff = false
 ## options for showing and identifying changesets
 show_sha_length = 12
 show_revision_number = true
 ## white list of API enabled controllers. This allows to add list of
 ## controllers to which access will be enabled by api_key. eg: to enable
 ## api access to raw_files put `FilesController:raw`, to enable access to patches
 ## add `ChangesetController:changeset_patch`. This list should be "," separated
 ## Syntax is <ControllerClass>:<function>. Check debug logs for generated names
 api_access_controllers_whitelist =
 ## alternative_gravatar_url allows you to use your own avatar server application
 ## the following parts of the URL will be replaced
 ## {email}        user email
 ## {md5email}     md5 hash of the user email (like at gravatar.com)
 ## {size}         size of the image that is expected from the server application
 ## {scheme}       http/https from RhodeCode server
 ## {netloc}       network location from RhodeCode server
 #alternative_gravatar_url = http://myavatarserver.com/getbyemail/{email}/{size}
 #alternative_gravatar_url = http://myavatarserver.com/getbymd5/{md5email}?s={size}
 ## container auth options
 container_auth_enabled = false
 proxypass_auth_enabled = false
 ## default encoding used to convert from and to unicode
 ## can be also a comma seperated list of encoding in case of mixed encodings
 default_encoding = utf8
 ## overwrite schema of clone url
 ## available vars:
 ## scheme - http/https
 ## user - current user

rhodecode/config/deployment.ini_tmpl

➞

Show inline comments

@@ @@ -90,48 +90,54 @@ use_htsts = false @@
 commit_parse_limit = 25
 ## number of items displayed in lightweight dashboard before paginating is shown
 dashboard_items = 100
 ## use gravatar service to display avatars
 use_gravatar = true
 ## path to git executable
 git_path = git
 ## git rev filter option, --all is the default filter, if you need to
 ## hide all refs in changelog switch this to --branches --tags
 git_rev_filter=--all
 ## RSS feed options
 rss_cut_off_limit = 256000
 rss_items_per_page = 10
 rss_include_diff = false
 ## options for showing and identifying changesets
 show_sha_length = 12
 show_revision_number = true
 ## white list of API enabled controllers. This allows to add list of
 ## controllers to which access will be enabled by api_key. eg: to enable
 ## api access to raw_files put `FilesController:raw`, to enable access to patches
 ## add `ChangesetController:changeset_patch`. This list should be "," separated
 ## Syntax is <ControllerClass>:<function>. Check debug logs for generated names
 api_access_controllers_whitelist =
 ## alternative_gravatar_url allows you to use your own avatar server application
 ## the following parts of the URL will be replaced
 ## {email}        user email
 ## {md5email}     md5 hash of the user email (like at gravatar.com)
 ## {size}         size of the image that is expected from the server application
 ## {scheme}       http/https from RhodeCode server
 ## {netloc}       network location from RhodeCode server
 #alternative_gravatar_url = http://myavatarserver.com/getbyemail/{email}/{size}
 #alternative_gravatar_url = http://myavatarserver.com/getbymd5/{md5email}?s={size}
 ## container auth options
 container_auth_enabled = false
 proxypass_auth_enabled = false
 ## default encoding used to convert from and to unicode
 ## can be also a comma seperated list of encoding in case of mixed encodings
 default_encoding = utf8
 ## overwrite schema of clone url
 ## available vars:
 ## scheme - http/https
 ## user - current user

rhodecode/lib/auth.py

➞

Show inline comments

@@ @@ -18,49 +18,49 @@ @@
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
+#
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import random
 import logging
 import traceback
 import hashlib
 from tempfile import _RandomNameSequence
 from decorator import decorator
 from pylons import config, url, request
 from pylons.controllers.util import abort, redirect
 from pylons.i18n.translation import _
 from sqlalchemy.orm.exc import ObjectDeletedError
 from rhodecode import __platform__, is_windows, is_unix
 from rhodecode.model.meta import Session
 from rhodecode.lib.utils2 import str2bool, safe_unicode
+from rhodecode.lib.utils2 import str2bool, safe_unicode, aslist
 from rhodecode.lib.exceptions import LdapPasswordError, LdapUsernameError,\
     LdapImportError
 from rhodecode.lib.utils import get_repo_slug, get_repos_group_slug,\
     get_user_group_slug
 from rhodecode.lib.auth_ldap import AuthLdap
 from rhodecode.model import meta
 from rhodecode.model.user import UserModel
 from rhodecode.model.db import Permission, RhodeCodeSetting, User, UserIpMap
 from rhodecode.lib.caching_query import FromCache
 log = logging.getLogger(__name__)
 class PasswordGenerator(object):
     """
     This is a simple class for generating password from different sets of
     characters
     usage::
         passwd_gen = PasswordGenerator()
         #print 8-letter password containing only big and small letters
             of alphabet
         passwd_gen.gen_password(8, passwd_gen.ALPHABETS_BIG_SMALL)
@@ @@ -510,59 +510,64 @@ def set_available_permissions(config): @@
 #==============================================================================
 # CHECK DECORATORS
 #==============================================================================
 class LoginRequired(object):
     """
     Must be logged in to execute this function else
     redirect to login page
     :param api_access: if enabled this checks only for valid auth token
         and grants access based on valid token
     """
     def __init__(self, api_access=False):
         self.api_access = api_access
     def __call__(self, func):
         return decorator(self.__wrapper, func)
     def __wrapper(self, func, *fargs, **fkwargs):
         cls = fargs[0]
         user = cls.rhodecode_user
         loc = "%s:%s" % (cls.__class__.__name__, func.__name__)
         # defined whitelist of controllers which API access will be enabled
         whitelist = aslist(config.get('api_access_controllers_whitelist'),
                            sep=',')
         api_access_whitelist = loc in whitelist
         log.debug('loc:%s is in API whitelist:%s:%s' % (loc, whitelist,
                                                         api_access_whitelist))
         #check IP
         ip_access_ok = True
         if not user.ip_allowed:
             from rhodecode.lib import helpers as h
             h.flash(h.literal(_('IP %s not allowed' % (user.ip_addr))),
                     category='warning')
             ip_access_ok = False
         api_access_ok = False
         if self.api_access:
+        if self.api_access or api_access_whitelist:
             log.debug('Checking API KEY access for %s' % cls)
             if user.api_key == request.GET.get('api_key'):
                 api_access_ok = True
             else:
                 log.debug("API KEY token not valid")
         log.debug('Checking if %s is authenticated @ %s' % (user.username, loc))
         if (user.is_authenticated or api_access_ok) and ip_access_ok:
             reason = 'RegularAuth' if user.is_authenticated else 'APIAuth'
             log.info('user %s is authenticated and granted access to %s '
                      'using %s' % (user.username, loc, reason)
+            )
             return func(*fargs, **fkwargs)
         else:
             log.warn('user %s NOT authenticated on func: %s' % (
                 user, loc)
+            )
             p = url.current()
             log.debug('redirecting to login page with %s' % p)
             return redirect(url('login_home', came_from=p))
 class NotAnonymous(object):

0 comments (0 inline, 0 general)