kallithea Changeset - 815bf70a88ce

Changeset - 815bf70a88ce

Parent rev.

Child rev.

[Not reviewed]

default

0 4 0

Søren Løvborg - 10 years ago 2015-07-14 13:59:59
kwi@kwi.dk

AuthUser: simplify check_ip_allowed and drop is_ip_allowed

check_ip_allowed is always called with user_id and inherit_from_default
arguments taken from the same User/AuthUser object, so just take that
object instead. This simplifies the is_ip_allowed method to the point
where it can be removed.

4 files changed with 11 insertions and 20 deletions:

kallithea/controllers/api/__init__.py

kallithea/controllers/login.py

kallithea/lib/auth.py

kallithea/lib/base.py

0 comments (0 inline, 0 general)

kallithea/controllers/api/__init__.py

➞

Show inline comments

@@ @@ -137,51 +137,50 @@ class JSONRPCController(WSGIController): @@
         # check AUTH based on API key
         try:
             self._req_api_key = json_body['api_key']
             self._req_id = json_body['id']
             self._req_method = json_body['method']
             self._request_params = json_body['args']
             if not isinstance(self._request_params, dict):
                 self._request_params = {}
             log.debug(
                 'method: %s, params: %s' % (self._req_method,
                                             self._request_params)
+            )
         except KeyError, e:
             return jsonrpc_error(retid=self._req_id,
                                  message='Incorrect JSON query missing %s' % e)
         # check if we can find this session using api_key
         try:
             u = User.get_by_api_key(self._req_api_key)
             if u is None:
                 return jsonrpc_error(retid=self._req_id,
                                      message='Invalid API key')
             #check if we are allowed to use this IP
             auth_u = AuthUser(u.user_id, self._req_api_key)
-            if not auth_u.is_ip_allowed(ip_addr):
+            if not AuthUser.check_ip_allowed(auth_u, ip_addr):
                 return jsonrpc_error(retid=self._req_id,
                         message='request from IP:%s not allowed' % (ip_addr,))
             else:
                 log.info('Access for IP:%s allowed' % (ip_addr,))
         except Exception, e:
             return jsonrpc_error(retid=self._req_id,
                                  message='Invalid API key')
         self._error = None
         try:
             self._func = self._find_method()
         except AttributeError, e:
             return jsonrpc_error(retid=self._req_id,
                                  message=str(e))
         # now that we have a method, add self._req_params to
         # self.kargs and dispatch control to WGIController
         argspec = inspect.getargspec(self._func)
         arglist = argspec[0][1:]
         defaults = map(type, argspec[3] or [])
         default_empty = types.NotImplementedType
         # kw arguments required by this method

kallithea/controllers/login.py

➞

Show inline comments

@@ @@ -88,49 +88,49 @@ class LoginController(BaseController): @@
         parsed = urlparse.urlparse(came_from)
         server_parsed = urlparse.urlparse(url.current())
         allowed_schemes = ['http', 'https']
         if parsed.scheme and parsed.scheme not in allowed_schemes:
             log.error('Suspicious URL scheme detected %s for url %s' %
                      (parsed.scheme, parsed))
             return False
         if server_parsed.netloc != parsed.netloc:
             log.error('Suspicious NETLOC detected %s for url %s server url '
                       'is: %s' % (parsed.netloc, parsed, server_parsed))
             return False
         return True
     def _redirect_to_origin(self, origin):
         '''redirect to the original page, preserving any get arguments given'''
         request.GET.pop('came_from', None)
         raise HTTPFound(location=url(origin, **request.GET))
     def index(self):
         c.came_from = safe_str(request.GET.get('came_from', ''))
         if not self._validate_came_from(c.came_from):
             c.came_from = url('home')
         not_default = self.authuser.username != User.DEFAULT_USER
-        ip_allowed = self.authuser.is_ip_allowed(self.ip_addr)
+        ip_allowed = AuthUser.check_ip_allowed(self.authuser, self.ip_addr)
         # redirect if already logged in
         if self.authuser.is_authenticated and not_default and ip_allowed:
             return self._redirect_to_origin(c.came_from)
         if request.POST:
             # import Login Form validator class
             login_form = LoginForm()
             try:
                 session.invalidate()
                 c.form_result = login_form.to_python(dict(request.POST))
                 # form checks for username/password, now we're authenticated
                 self._store_user_in_session(
                                         username=c.form_result['username'],
                                         remember=c.form_result['remember'])
                 return self._redirect_to_origin(c.came_from)
             except formencode.Invalid, errors:
                 defaults = errors.value
                 # remove password from filling in form again
                 del defaults['password']
                 return htmlfill.render(
                     render('/login.html'),
                     defaults=errors.value,

kallithea/lib/auth.py

➞

Show inline comments

@@ @@ -587,61 +587,56 @@ class AuthUser(object): @@
     @property
     def repositories_admin(self):
         """
         Returns list of repositories you're an admin of
         """
         return [x[0] for x in self.permissions['repositories'].iteritems()
                 if x[1] == 'repository.admin']
     @property
     def repository_groups_admin(self):
         """
         Returns list of repository groups you're an admin of
         """
         return [x[0] for x in self.permissions['repositories_groups'].iteritems()
                 if x[1] == 'group.admin']
     @property
     def user_groups_admin(self):
         """
         Returns list of user groups you're an admin of
         """
         return [x[0] for x in self.permissions['user_groups'].iteritems()
                 if x[1] == 'usergroup.admin']
     def is_ip_allowed(self, ip_addr):
         """
         Determine if `ip_addr` is on the list of allowed IP addresses
         for this user.
     @staticmethod
     def check_ip_allowed(user, ip_addr):
         """
         inherit = self.inherit_default_permissions
         return AuthUser.check_ip_allowed(self.user_id, ip_addr,
                                          inherit_from_default=inherit)
     @classmethod
     def check_ip_allowed(cls, user_id, ip_addr, inherit_from_default):
         allowed_ips = AuthUser.get_allowed_ips(user_id, cache=True,
                         inherit_from_default=inherit_from_default)
         Check if the given IP address (a `str`) is allowed for the given
         user (an `AuthUser` or `db.User`).
         """
         allowed_ips = AuthUser.get_allowed_ips(user.user_id, cache=True,
             inherit_from_default=user.inherit_default_permissions)
         if check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips):
             log.debug('IP:%s is in range of %s' % (ip_addr, allowed_ips))
             return True
         else:
             log.info('Access for IP:%s forbidden, '
                      'not in %s' % (ip_addr, allowed_ips))
             return False
     def __repr__(self):
         return "<AuthUser('id:%s[%s] auth:%s')>"\
             % (self.user_id, self.username, self.is_authenticated)
     def set_authenticated(self, authenticated=True):
         if self.user_id != self.anonymous_user.user_id:
             self.is_authenticated = authenticated
     def get_cookie_store(self):
         return {'username': self.username,
                 'user_id': self.user_id,
                 'is_authenticated': self.is_authenticated}
     @classmethod
     def from_cookie_store(cls, cookie_store):
         """
@@ @@ -721,50 +716,49 @@ def redirect_to_login(message=None): @@
     log.debug('Redirecting to login page, origin: %s' % p)
     return redirect(url('login_home', came_from=p, **request.GET))
 class LoginRequired(object):
     """
     Must be logged in to execute this function else
     redirect to login page
     :param api_access: if enabled this checks only for valid auth token
         and grants access based on valid token
     """
     def __init__(self, api_access=False):
         self.api_access = api_access
     def __call__(self, func):
         return decorator(self.__wrapper, func)
     def __wrapper(self, func, *fargs, **fkwargs):
         controller = fargs[0]
         user = controller.authuser
         loc = "%s:%s" % (controller.__class__.__name__, func.__name__)
         log.debug('Checking access for user %s @ %s' % (user, loc))
         # check if our IP is allowed
         if not user.is_ip_allowed(controller.ip_addr):
         if not AuthUser.check_ip_allowed(user, controller.ip_addr):
             return redirect_to_login(_('IP %s not allowed') % controller.ip_addr)
         # check if we used an API key and it's a valid one
         api_key = request.GET.get('api_key')
         if api_key is not None:
             # explicit controller is enabled or API is in our whitelist
             if self.api_access or allowed_api_access(loc, api_key=api_key):
                 if api_key in user.api_keys:
                     log.info('user %s authenticated with API key ****%s @ %s'
                              % (user, api_key[-4:], loc))
                     return func(*fargs, **fkwargs)
                 else:
                     log.warning('API key ****%s is NOT valid' % api_key[-4:])
                     return redirect_to_login(_('Invalid API key'))
             else:
                 # controller does not allow API access
                 log.warning('API access to %s is not allowed' % loc)
                 return abort(403)
         # CSRF protection - POSTs with session auth must contain correct token
         if request.POST and user.is_authenticated:
             token = request.POST.get(secure_form.token_key)
             if not token or token != secure_form.authentication_token():
                 log.error('CSRF check failed')

kallithea/lib/base.py

➞

Show inline comments

@@ @@ -165,51 +165,49 @@ class BaseVCSController(object): @@
             by_id_match = get_repo_by_id(repo_name)
             if by_id_match:
                 data[1] = by_id_match
         return '/'.join(data)
     def _invalidate_cache(self, repo_name):
         """
         Sets cache for this repository for invalidation on next access
         :param repo_name: full repo name, also a cache key
         """
         ScmModel().mark_for_invalidation(repo_name)
     def _check_permission(self, action, user, repo_name, ip_addr=None):
         """
         Checks permissions using action (push/pull) user and repository
         name
         :param action: push or pull action
         :param user: `User` instance
         :param repo_name: repository name
         """
         # check IP
         inherit = user.inherit_default_permissions
         ip_allowed = AuthUser.check_ip_allowed(user.user_id, ip_addr,
                                                inherit_from_default=inherit)
         ip_allowed = AuthUser.check_ip_allowed(user, ip_addr)
         if ip_allowed:
             log.info('Access for IP:%s allowed' % (ip_addr,))
         else:
             return False
         if action == 'push':
             if not HasPermissionAnyMiddleware('repository.write',
                                               'repository.admin')(user,
                                                                   repo_name):
                 return False
         else:
             #any other action need at least read permission
             if not HasPermissionAnyMiddleware('repository.read',
                                               'repository.write',
                                               'repository.admin')(user,
                                                                   repo_name):
                 return False
         return True
     def _get_ip_addr(self, environ):
         return _get_ip_addr(environ)

0 comments (0 inline, 0 general)