kallithea Changeset - c5169e445fb8

Changeset - c5169e445fb8

Parent rev.

Child rev.

[Not reviewed]

beta

0 7 0

Marcin Kuzminski - 13 years ago 2013-01-04 23:34:53
marcin@python-works.com

Full IP restrictions enabled
- short cache query for IP for performance
- remove redundant logic
- some small css fixes for login form to better show IP restricted message

7 files changed with 46 insertions and 26 deletions:

rhodecode/controllers/api/__init__.py

rhodecode/controllers/login.py

rhodecode/lib/auth.py

rhodecode/lib/base.py

rhodecode/model/db.py

rhodecode/model/user.py

rhodecode/public/css/style.css

0 comments (0 inline, 0 general)

rhodecode/controllers/api/__init__.py

➞

Show inline comments

@@ @@ -34,25 +34,25 @@ import time @@
 from rhodecode.lib.compat import izip_longest, json
 from paste.response import replace_header
 from pylons.controllers import WSGIController
 from webob.exc import HTTPNotFound, HTTPForbidden, HTTPInternalServerError, \
 HTTPBadRequest, HTTPError
 from rhodecode.model.db import User
-from rhodecode.lib.auth import AuthUser, check_ip_access
 from rhodecode.lib.auth import AuthUser
 from rhodecode.lib.base import _get_ip_addr, _get_access_path
 from rhodecode.lib.utils2 import safe_unicode
 log = logging.getLogger('JSONRPC')
 class JSONRPCError(BaseException):
     def __init__(self, message):
         self.message = message
         super(JSONRPCError, self).__init__()
@@ @@ -139,35 +139,33 @@ class JSONRPCController(WSGIController): @@
                                             self._request_params)
+            )
         except KeyError, e:
             return jsonrpc_error(retid=self._req_id,
                                  message='Incorrect JSON query missing %s' % e)
         # check if we can find this session using api_key
         try:
             u = User.get_by_api_key(self._req_api_key)
             if u is None:
                 return jsonrpc_error(retid=self._req_id,
                                      message='Invalid API KEY')
             #check if we are allowed to use this IP
             allowed_ips = AuthUser.get_allowed_ips(u.user_id)
             if check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips) is False:
                 log.info('Access for IP:%s forbidden, '
                          'not in %s' % (ip_addr, allowed_ips))
             auth_u = AuthUser(u.user_id, self._req_api_key, ip_addr=ip_addr)
             if not auth_u.ip_allowed:
                 return jsonrpc_error(retid=self._req_id,
                         message='request from IP:%s not allowed' % (ip_addr))
             else:
                 log.info('Access for IP:%s allowed' % (ip_addr))
             auth_u = AuthUser(u.user_id, self._req_api_key, ip_addr=ip_addr)
         except Exception, e:
             return jsonrpc_error(retid=self._req_id,
                                  message='Invalid API KEY')
         self._error = None
         try:
             self._func = self._find_method()
         except AttributeError, e:
             return jsonrpc_error(retid=self._req_id,
                                  message=str(e))
         # now that we have a method, add self._req_params to

rhodecode/controllers/login.py

➞

Show inline comments

@@ @@ -45,28 +45,27 @@ from rhodecode.model.meta import Session @@
 log = logging.getLogger(__name__)
 class LoginController(BaseController):
     def __before__(self):
         super(LoginController, self).__before__()
     def index(self):
         # redirect if already logged in
         c.came_from = request.GET.get('came_from')
         if self.rhodecode_user.is_authenticated \
                             and self.rhodecode_user.username != 'default':
         not_default = self.rhodecode_user.username != 'default'
         ip_allowed = self.rhodecode_user.ip_allowed
         if self.rhodecode_user.is_authenticated and not_default and ip_allowed:
             return redirect(url('home'))
         if request.POST:
             # import Login Form validator class
             login_form = LoginForm()
             try:
                 session.invalidate()
                 c.form_result = login_form.to_python(dict(request.POST))
                 # form checks for username/password, now we're authenticated
                 username = c.form_result['username']
                 user = User.get_by_username(username, case_insensitive=True)
                 auth_user = AuthUser(user.user_id)

rhodecode/lib/auth.py

➞

Show inline comments

@@ @@ -37,24 +37,25 @@ from pylons.i18n.translation import _ @@
 from rhodecode import __platform__, is_windows, is_unix
 from rhodecode.model.meta import Session
 from rhodecode.lib.utils2 import str2bool, safe_unicode
 from rhodecode.lib.exceptions import LdapPasswordError, LdapUsernameError
 from rhodecode.lib.utils import get_repo_slug, get_repos_group_slug
 from rhodecode.lib.auth_ldap import AuthLdap
 from rhodecode.model import meta
 from rhodecode.model.user import UserModel
 from rhodecode.model.db import Permission, RhodeCodeSetting, User, UserIpMap
 from rhodecode.lib.caching_query import FromCache
 log = logging.getLogger(__name__)
 class PasswordGenerator(object):
     """
     This is a simple class for generating password from different sets of
     characters
     usage::
         passwd_gen = PasswordGenerator()
         #print 8-letter password containing only big and small letters
@@ @@ -318,25 +319,24 @@ class AuthUser(object): @@
         self.user_id = user_id
         self.api_key = None
         self.username = username
         self.ip_addr = ip_addr
         self.name = ''
         self.lastname = ''
         self.email = ''
         self.is_authenticated = False
         self.admin = False
         self.inherit_default_permissions = False
         self.permissions = {}
         self.allowed_ips = set()
         self._api_key = api_key
         self.propagate_data()
         self._instance = None
     def propagate_data(self):
         user_model = UserModel()
         self.anonymous_user = User.get_by_username('default', cache=True)
         is_user_loaded = False
         # try go get user by api key
         if self._api_key and self._api_key != self.anonymous_user.api_key:
             log.debug('Auth User lookup by API KEY %s' % self._api_key)
@@ @@ -368,31 +368,47 @@ class AuthUser(object): @@
                 # then we set this user is logged in
                 self.is_authenticated = True
             else:
                 self.user_id = None
                 self.username = None
                 self.is_authenticated = False
         if not self.username:
             self.username = 'None'
         log.debug('Auth User is now %s' % self)
         user_model.fill_perms(self)
         log.debug('Filling Allowed IPs')
         self.allowed_ips = AuthUser.get_allowed_ips(self.user_id)
     @property
     def is_admin(self):
         return self.admin
     @property
     def ip_allowed(self):
         """
         Checks if ip_addr used in constructor is allowed from defined list of
         allowed ip_addresses for user
         :returns: boolean, True if ip is in allowed ip range
         """
         #check IP
         allowed_ips = AuthUser.get_allowed_ips(self.user_id, cache=True)
         if check_ip_access(source_ip=self.ip_addr, allowed_ips=allowed_ips):
             log.debug('IP:%s is in range of %s' % (self.ip_addr, allowed_ips))
             return True
         else:
             log.info('Access for IP:%s forbidden, '
                      'not in %s' % (self.ip_addr, allowed_ips))
             return False
     def __repr__(self):
         return "<AuthUser('id:%s:%s|%s')>" % (self.user_id, self.username,
                                               self.is_authenticated)
     def set_authenticated(self, authenticated=True):
         if self.user_id != self.anonymous_user.user_id:
             self.is_authenticated = authenticated
     def get_cookie_store(self):
         return {'username': self.username,
                 'user_id': self.user_id,
                 'is_authenticated': self.is_authenticated}
@@ @@ -402,27 +418,30 @@ class AuthUser(object): @@
         """
         Creates AuthUser from a cookie store
         :param cls:
         :param cookie_store:
         """
         user_id = cookie_store.get('user_id')
         username = cookie_store.get('username')
         api_key = cookie_store.get('api_key')
         return AuthUser(user_id, api_key, username)
     @classmethod
     def get_allowed_ips(cls, user_id):
+    def get_allowed_ips(cls, user_id, cache=False):
         _set = set()
         user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id).all()
         user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id)
         if cache:
             user_ips = user_ips.options(FromCache("sql_cache_short",
                                                   "get_user_ips_%s" % user_id))
         for ip in user_ips:
             _set.add(ip.ip_addr)
         return _set or set(['0.0.0.0/0'])
 def set_available_permissions(config):
     """
     This function will propagate pylons globals with all available defined
     permission given in db. We don't want to check each time from db for new
     permissions since adding a new permission also requires application restart
     ie. to decorate new views with the newly created permission
@@ @@ -453,35 +472,44 @@ class LoginRequired(object): @@
         and grants access based on valid token
     """
     def __init__(self, api_access=False):
         self.api_access = api_access
     def __call__(self, func):
         return decorator(self.__wrapper, func)
     def __wrapper(self, func, *fargs, **fkwargs):
         cls = fargs[0]
         user = cls.rhodecode_user
         loc = "%s:%s" % (cls.__class__.__name__, func.__name__)
         #check IP
         ip_access_ok = True
         if not user.ip_allowed:
             from rhodecode.lib import helpers as h
             h.flash(h.literal(_('IP %s not allowed' % (user.ip_addr))),
                     category='warning')
             ip_access_ok = False
         api_access_ok = False
         if self.api_access:
             log.debug('Checking API KEY access for %s' % cls)
             if user.api_key == request.GET.get('api_key'):
                 api_access_ok = True
             else:
                 log.debug("API KEY token not valid")
-        loc = "%s:%s" % (cls.__class__.__name__, func.__name__)
         log.debug('Checking if %s is authenticated @ %s' % (user.username, loc))
         if user.is_authenticated or api_access_ok:
+        if (user.is_authenticated or api_access_ok) and ip_access_ok:
             reason = 'RegularAuth' if user.is_authenticated else 'APIAuth'
             log.info('user %s is authenticated and granted access to %s '
                      'using %s' % (user.username, loc, reason)
+            )
             return func(*fargs, **fkwargs)
         else:
             log.warn('user %s NOT authenticated on func: %s' % (
                 user, loc)
+            )
             p = url.current()
             log.debug('redirecting to login page with %s' % p)

rhodecode/lib/base.py

➞

Show inline comments

@@ @@ -11,25 +11,25 @@ from paste.httpexceptions import HTTPUna @@
 from paste.httpheaders import WWW_AUTHENTICATE, AUTHORIZATION
 from pylons import config, tmpl_context as c, request, session, url
 from pylons.controllers import WSGIController
 from pylons.controllers.util import redirect
 from pylons.templating import render_mako as render
 from rhodecode import __version__, BACKENDS
 from rhodecode.lib.utils2 import str2bool, safe_unicode, AttributeDict,\
     safe_str, safe_int
 from rhodecode.lib.auth import AuthUser, get_container_username, authfunc,\
-    HasPermissionAnyMiddleware, CookieStoreWrapper, check_ip_access
     HasPermissionAnyMiddleware, CookieStoreWrapper
 from rhodecode.lib.utils import get_repo_slug, invalidate_cache
 from rhodecode.model import meta
 from rhodecode.model.db import Repository, RhodeCodeUi, User, RhodeCodeSetting
 from rhodecode.model.notification import NotificationModel
 from rhodecode.model.scm import ScmModel
 from rhodecode.model.meta import Session
 log = logging.getLogger(__name__)
 def _get_ip_addr(environ):
@@ @@ -137,28 +137,26 @@ class BaseVCSController(object): @@
         invalidate_cache('get_repo_cached_%s' % repo_name)
     def _check_permission(self, action, user, repo_name, ip_addr=None):
         """
         Checks permissions using action (push/pull) user and repository
         name
         :param action: push or pull action
         :param user: user instance
         :param repo_name: repository name
         """
         #check IP
         allowed_ips = AuthUser.get_allowed_ips(user.user_id)
         if check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips) is False:
             log.info('Access for IP:%s forbidden, '
                      'not in %s' % (ip_addr, allowed_ips))
         authuser = AuthUser(user_id=user.user_id, ip_addr=ip_addr)
         if not authuser.ip_allowed:
             return False
         else:
             log.info('Access for IP:%s allowed' % (ip_addr))
         if action == 'push':
             if not HasPermissionAnyMiddleware('repository.write',
                                               'repository.admin')(user,
                                                                   repo_name):
                 return False
         else:
             #any other action need at least read permission
             if not HasPermissionAnyMiddleware('repository.read',

rhodecode/model/db.py

➞

Show inline comments

@@ @@ -527,24 +527,25 @@ class UserEmailMap(Base, BaseModel): @@
 class UserIpMap(Base, BaseModel):
     __tablename__ = 'user_ip_map'
     __table_args__ = (
         UniqueConstraint('user_id', 'ip_addr'),
         {'extend_existing': True, 'mysql_engine': 'InnoDB',
          'mysql_charset': 'utf8'}
+    )
     __mapper_args__ = {}
     ip_id = Column("ip_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
     user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
     ip_addr = Column("ip_addr", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=False, default=None)
     active = Column("active", Boolean(), nullable=True, unique=None, default=True)
     user = relationship('User', lazy='joined')
     @classmethod
     def _get_ip_range(cls, ip_addr):
         from rhodecode.lib import ipaddr
         net = ipaddr.IPv4Network(ip_addr)
         return [str(net.network), str(net.broadcast)]
     def __json__(self):
         return dict(
           ip_addr=self.ip_addr,
           ip_range=self._get_ip_range(self.ip_addr)

rhodecode/model/user.py

➞

Show inline comments

@@ @@ -18,25 +18,24 @@ @@
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
+#
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import logging
 import traceback
 import itertools
 import collections
 import functools
 from pylons import url
 from pylons.i18n.translation import _
 from sqlalchemy.exc import DatabaseError
 from sqlalchemy.orm import joinedload
 from rhodecode.lib.utils2 import safe_unicode, generate_api_key
 from rhodecode.lib.caching_query import FromCache
 from rhodecode.model import BaseModel
 from rhodecode.model.db import User, UserRepoToPerm, Repository, Permission, \
     UserToPerm, UsersGroupRepoToPerm, UsersGroupToPerm, UsersGroupMember, \
     Notification, RepoGroup, UserRepoGroupToPerm, UsersGroupRepoGroupToPerm, \

rhodecode/public/css/style.css

➞

Show inline comments

@@ @@ -1993,61 +1993,58 @@ a.metatag[tag="license"]:hover { @@
 #footer div#footer-inner .footer-link {
 	float: left;
 	padding-left: 10px;
+}
 #footer div#footer-inner .footer-link a,#footer div#footer-inner .footer-link-right a
+	{
 	color: #FFF;
+}
 #login div.title {
 	width: 420px;
 	clear: both;
 	overflow: hidden;
 	position: relative;
 	background-color: #003B76;
 	background-repeat : repeat-x;
 	background-image : -khtml-gradient( linear, left top, left bottom, from(#003B76), to(#00376E));
 	background-image : -moz-linear-gradient( top, #003b76, #00376e);
 	background-image : -ms-linear-gradient( top, #003b76, #00376e);
 	background-image : -webkit-gradient( linear, left top, left bottom, color-stop( 0%, #003b76), color-stop( 100%, #00376e));
 	background-image : -webkit-linear-gradient( top, #003b76, #00376e));
 	background-image : -o-linear-gradient( top, #003b76, #00376e));
 	background-image : linear-gradient( top, #003b76, #00376e);
 	filter : progid : DXImageTransform.Microsoft.gradient ( startColorstr = '#003b76', endColorstr = '#00376e', GradientType = 0);
 	margin: 0 auto;
 	padding: 0;
+}
 #login div.inner {
 	width: 380px;
 	background: #FFF url("../images/login.png") no-repeat top left;
 	border-top: none;
 	border-bottom: none;
 	margin: 0 auto;
 	padding: 20px;
+}
 #login div.form div.fields div.field div.label {
 	width: 173px;
 	float: left;
 	text-align: right;
 	margin: 2px 10px 0 0;
 	padding: 5px 0 0 5px;
+}
 #login div.form div.fields div.field div.input input {
 	width: 176px;
 	background: #FFF;
 	border-top: 1px solid #b3b3b3;
 	border-left: 1px solid #b3b3b3;
 	border-right: 1px solid #eaeaea;
 	border-bottom: 1px solid #eaeaea;
 	color: #000;
 	font-size: 11px;
 	margin: 0;
 	padding: 7px 7px 6px;
+}
 #login div.form div.fields div.buttons {

0 comments (0 inline, 0 general)