Changeset - c6ce891312ef
Parent rev.
Child rev.
[Not reviewed]
default
0 4 0
Mads Kiilerich - 7 years ago 2018-12-26 02:21:26
mads@kiilerich.com
auth: consistently use request.authuser - drop request.user

This seems like old tech debt. Now, just get rid of it.
4 files changed with 8 insertions and 8 deletions:
kallithea/controllers/api/__init__.py
1
1
kallithea/lib/auth.py
5
5
kallithea/lib/base.py
1
1
kallithea/tests/fixture.py
1
1
0 comments (0 inline, 0 general)
kallithea/controllers/api/__init__.py
Show inline comments
 
@@ -161,49 +161,49 @@ class JSONRPCController(TGController):
 
            raise JSONRPCErrorResponse(retid=self._req_id,
 
                                       message='Invalid API key')
 

			




	
	
	
		
 
        self._error = None

			




	
	
	
		
 
        try:

			




	
	
	
		
 
            self._func = self._find_method()

			




	
	
	
		
 
        except AttributeError as e:

			




	
	
	
		
 
            raise JSONRPCErrorResponse(retid=self._req_id,

			




	
	
	
		
 
                                       message=str(e))

			




	
	
	
		
 

			




	
	
	
		
 
        # now that we have a method, add self._req_params to

			




	
	
	
		
 
        # self.kargs and dispatch control to WGIController

			




	
	
	
		
 
        argspec = inspect.getargspec(self._func)

			




	
	
	
		
 
        arglist = argspec[0][1:]

			




	
	
	
		
 
        defaults = map(type, argspec[3] or [])

			




	
	
	
		
 
        default_empty = types.NotImplementedType

			




	
	
	
		
 

			




	
	
	
		
 
        # kw arguments required by this method

			




	
	
	
		
 
        func_kwargs = dict(itertools.izip_longest(reversed(arglist), reversed(defaults),

			




	
	
	
		
 
                                                  fillvalue=default_empty))

			




	
	
	
		
 

			




	
	
	
		
 
        # this is little trick to inject logged in user for

			




	
	
	
		
 
        # perms decorators to work they expect the controller class to have

			




	
	
	
		
 
        # authuser attribute set

			




	
	
	
		
 
        request.authuser = request.user = auth_u

			




	
	
	
		
 
        request.authuser = auth_u

			




	
	
	
		
 

			




	
	
	
		
 
        # This attribute will need to be first param of a method that uses

			




	
	
	
		
 
        # api_key, which is translated to instance of user at that name

			




	
	
	
		
 
        USER_SESSION_ATTR = 'apiuser'

			




	
	
	
		
 

			




	
	
	
		
 
        # get our arglist and check if we provided them as args

			




	
	
	
		
 
        for arg, default in func_kwargs.iteritems():

			




	
	
	
		
 
            if arg == USER_SESSION_ATTR:

			




	
	
	
		
 
                # USER_SESSION_ATTR is something translated from API key and

			




	
	
	
		
 
                # this is checked before so we don't need validate it

			




	
	
	
		
 
                continue

			




	
	
	
		
 

			




	
	
	
		
 
            # skip the required param check if it's default value is

			




	
	
	
		
 
            # NotImplementedType (default_empty)

			




	
	
	
		
 
            if default == default_empty and arg not in self._request_params:

			




	
	
	
		
 
                raise JSONRPCErrorResponse(

			




	
	
	
		
 
                    retid=self._req_id,

			




	
	
	
		
 
                    message='Missing non optional `%s` arg in JSON DATA' % arg,

			




	
	
	
		
 
                )

			




	
	
	
		
 

			




	
	
	
		
 
        extra = set(self._request_params).difference(func_kwargs)

			




	
	
	
		
 
        if extra:

			




	
	
	
		
 
                raise JSONRPCErrorResponse(

			




	
	
	
		
 
                    retid=self._req_id,

			




        

    


    
    

    

        

                

                    kallithea/lib/auth.py
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -923,80 +923,80 @@ class HasUserGroupPermissionLevelDecorat

			




	
	
	
		
 
#==============================================================================

			




	
	
	
		
 
# CHECK FUNCTIONS

			




	
	
	
		
 
#==============================================================================

			




	
	
	
		
 

			




	
	
	
		
 
class _PermsFunction(object):

			




	
	
	
		
 
    """Base function for other check functions with multiple permissions"""

			




	
	
	
		
 

			




	
	
	
		
 
    def __init__(self, *required_perms):

			




	
	
	
		
 
        self.required_perms = required_perms # usually very short - a list is thus fine

			




	
	
	
		
 

			




	
	
	
		
 
    def __nonzero__(self):

			




	
	
	
		
 
        """ Defend against accidentally forgetting to call the object

			




	
	
	
		
 
            and instead evaluating it directly in a boolean context,

			




	
	
	
		
 
            which could have security implications.

			




	
	
	
		
 
        """

			




	
	
	
		
 
        raise AssertionError(self.__class__.__name__ + ' is not a bool and must be called!')

			




	
	
	
		
 

			




	
	
	
		
 
    def __call__(self, *a, **b):

			




	
	
	
		
 
        raise NotImplementedError()

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class HasPermissionAny(_PermsFunction):

			




	
	
	
		
 

			




	
	
	
		
 
    def __call__(self, purpose=None):

			




	
	
	
		
 
        global_permissions = request.user.permissions['global'] # usually very short

			




	
	
	
		
 
        global_permissions = request.authuser.permissions['global'] # usually very short

			




	
	
	
		
 
        ok = any(p in global_permissions for p in self.required_perms)

			




	
	
	
		
 

			




	
	
	
		
 
        log.debug('Check %s for global %s (%s): %s' %

			




	
	
	
		
 
            (request.user.username, self.required_perms, purpose, ok))

			




	
	
	
		
 
            (request.authuser.username, self.required_perms, purpose, ok))

			




	
	
	
		
 
        return ok

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class _PermFunction(_PermsFunction):

			




	
	
	
		
 
    """Base function for other check functions with a single permission"""

			




	
	
	
		
 

			




	
	
	
		
 
    def __init__(self, required_perm):

			




	
	
	
		
 
        _PermsFunction.__init__(self, [required_perm])

			




	
	
	
		
 
        self.required_perm = required_perm

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class HasRepoPermissionLevel(_PermFunction):

			




	
	
	
		
 

			




	
	
	
		
 
    def __call__(self, repo_name, purpose=None):

			




	
	
	
		
 
        return request.user.has_repository_permission_level(repo_name, self.required_perm, purpose)

			




	
	
	
		
 
        return request.authuser.has_repository_permission_level(repo_name, self.required_perm, purpose)

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class HasRepoGroupPermissionLevel(_PermFunction):

			




	
	
	
		
 

			




	
	
	
		
 
    def __call__(self, group_name, purpose=None):

			




	
	
	
		
 
        return request.user.has_repository_group_permission_level(group_name, self.required_perm, purpose)

			




	
	
	
		
 
        return request.authuser.has_repository_group_permission_level(group_name, self.required_perm, purpose)

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class HasUserGroupPermissionLevel(_PermFunction):

			




	
	
	
		
 

			




	
	
	
		
 
    def __call__(self, user_group_name, purpose=None):

			




	
	
	
		
 
        return request.user.has_user_group_permission_level(user_group_name, self.required_perm, purpose)

			




	
	
	
		
 
        return request.authuser.has_user_group_permission_level(user_group_name, self.required_perm, purpose)

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
#==============================================================================

			




	
	
	
		
 
# SPECIAL VERSION TO HANDLE MIDDLEWARE AUTH

			




	
	
	
		
 
#==============================================================================

			




	
	
	
		
 

			




	
	
	
		
 
class HasPermissionAnyMiddleware(object):

			




	
	
	
		
 
    def __init__(self, *perms):

			




	
	
	
		
 
        self.required_perms = set(perms)

			




	
	
	
		
 

			




	
	
	
		
 
    def __call__(self, user, repo_name, purpose=None):

			




	
	
	
		
 
        # repo_name MUST be unicode, since we handle keys in ok

			




	
	
	
		
 
        # dict by unicode

			




	
	
	
		
 
        repo_name = safe_unicode(repo_name)

			




	
	
	
		
 
        user = AuthUser(user.user_id)

			




	
	
	
		
 

			




	
	
	
		
 
        try:

			




	
	
	
		
 
            ok = user.permissions['repositories'][repo_name] in self.required_perms

			




	
	
	
		
 
        except KeyError:

			




	
	
	
		
 
            ok = False

			




	
	
	
		
 

			




	
	
	
		
 
        log.debug('Middleware check %s for %s for repo %s (%s): %s' % (user.username, self.required_perms, repo_name, purpose, ok))

			




	
	
	
		
 
        return ok

			




	
	
	
		
 

			




        

    


    
    

    

        

                

                    kallithea/lib/base.py
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -508,49 +508,49 @@ class BaseController(TGController):

			




	
	
	
		
 
        # this assumption.

			




	
	
	
		
 
        if request.method not in ['POST', 'PUT'] and request.POST:

			




	
	
	
		
 
            log.error('%r request with payload parameters; WebOb should have stopped this', request.method)

			




	
	
	
		
 
            raise webob.exc.HTTPBadRequest()

			




	
	
	
		
 

			




	
	
	
		
 
    def __call__(self, environ, context):

			




	
	
	
		
 
        try:

			




	
	
	
		
 
            request.ip_addr = _get_ip_addr(environ)

			




	
	
	
		
 
            # make sure that we update permissions each time we call controller

			




	
	
	
		
 

			




	
	
	
		
 
            self._basic_security_checks()

			




	
	
	
		
 

			




	
	
	
		
 
            # set globals for auth user

			




	
	
	
		
 

			




	
	
	
		
 
            bearer_token = None

			




	
	
	
		
 
            try:

			




	
	
	
		
 
                # Request.authorization may raise ValueError on invalid input

			




	
	
	
		
 
                type, params = request.authorization

			




	
	
	
		
 
            except (ValueError, TypeError):

			




	
	
	
		
 
                pass

			




	
	
	
		
 
            else:

			




	
	
	
		
 
                if type.lower() == 'bearer':

			




	
	
	
		
 
                    bearer_token = params

			




	
	
	
		
 

			




	
	
	
		
 
            request.authuser = request.user = self._determine_auth_user(

			




	
	
	
		
 
            request.authuser = self._determine_auth_user(

			




	
	
	
		
 
                request.GET.get('api_key'),

			




	
	
	
		
 
                bearer_token,

			




	
	
	
		
 
                session.get('authuser'),

			




	
	
	
		
 
            )

			




	
	
	
		
 

			




	
	
	
		
 
            log.info('IP: %s User: %s accessed %s',

			




	
	
	
		
 
                request.ip_addr, request.authuser,

			




	
	
	
		
 
                safe_unicode(_get_access_path(environ)),

			




	
	
	
		
 
            )

			




	
	
	
		
 
            return super(BaseController, self).__call__(environ, context)

			




	
	
	
		
 
        except webob.exc.HTTPException as e:

			




	
	
	
		
 
            return e

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class BaseRepoController(BaseController):

			




	
	
	
		
 
    """

			




	
	
	
		
 
    Base class for controllers responsible for loading all needed data for

			




	
	
	
		
 
    repository loaded items are

			




	
	
	
		
 

			




	
	
	
		
 
    c.db_repo_scm_instance: instance of scm repository

			




	
	
	
		
 
    c.db_repo: instance of db

			




	
	
	
		
 
    c.repository_followers: number of followers

			




	
	
	
		
 
    c.repository_forks: number of forks

			




	
	
	
		
 
    c.repository_following: weather the current user is following the current repo

			




        

    


    
    

    

        

                

                    kallithea/tests/fixture.py
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -312,49 +312,49 @@ class Fixture(object):

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            cs = ScmModel().commit_change(

			




	
	
	
		
 
                repo=repo.scm_instance, repo_name=repo.repo_name,

			




	
	
	
		
 
                cs=parent, user=TEST_USER_ADMIN_LOGIN,

			




	
	
	
		
 
                author=author,

			




	
	
	
		
 
                message=message,

			




	
	
	
		
 
                content=content,

			




	
	
	
		
 
                f_path=filename

			




	
	
	
		
 
            )

			




	
	
	
		
 
        return cs

			




	
	
	
		
 

			




	
	
	
		
 
    def review_changeset(self, repo, revision, status, author=TEST_USER_ADMIN_LOGIN):

			




	
	
	
		
 
        comment = ChangesetCommentsModel().create(u"review comment", repo, author, revision=revision, send_email=False)

			




	
	
	
		
 
        csm = ChangesetStatusModel().set_status(repo, ChangesetStatus.STATUS_APPROVED, author, comment, revision=revision)

			




	
	
	
		
 
        Session().commit()

			




	
	
	
		
 
        return csm

			




	
	
	
		
 

			




	
	
	
		
 
    def create_pullrequest(self, testcontroller, repo_name, pr_src_rev, pr_dst_rev, title=u'title'):

			




	
	
	
		
 
        org_ref = 'branch:stable:%s' % pr_src_rev

			




	
	
	
		
 
        other_ref = 'branch:default:%s' % pr_dst_rev

			




	
	
	
		
 
        with test_context(testcontroller.app): # needed to be able to mock request user

			




	
	
	
		
 
            org_repo = other_repo = Repository.get_by_repo_name(repo_name)

			




	
	
	
		
 
            owner_user = User.get_by_username(TEST_USER_ADMIN_LOGIN)

			




	
	
	
		
 
            reviewers = [User.get_by_username(TEST_USER_REGULAR_LOGIN)]

			




	
	
	
		
 
            request.authuser = request.user = AuthUser(dbuser=owner_user)

			




	
	
	
		
 
            request.authuser = AuthUser(dbuser=owner_user)

			




	
	
	
		
 
            # creating a PR sends a message with an absolute URL - without routing that requires mocking

			




	
	
	
		
 
            with mock.patch.object(helpers, 'url', (lambda arg, qualified=False, **kwargs: ('https://localhost' if qualified else '') + '/fake/' + arg)):

			




	
	
	
		
 
                cmd = CreatePullRequestAction(org_repo, other_repo, org_ref, other_ref, title, u'No description', owner_user, reviewers)

			




	
	
	
		
 
                pull_request = cmd.execute()

			




	
	
	
		
 
            Session().commit()

			




	
	
	
		
 
        return pull_request.pull_request_id

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
#==============================================================================

			




	
	
	
		
 
# Global test environment setup

			




	
	
	
		
 
#==============================================================================

			




	
	
	
		
 

			




	
	
	
		
 
def create_test_env(repos_test_path, config):

			




	
	
	
		
 
    """

			




	
	
	
		
 
    Makes a fresh database and

			




	
	
	
		
 
    install test repository into tmp dir

			




	
	
	
		
 
    """

			




	
	
	
		
 

			




	
	
	
		
 
    # PART ONE create db

			




	
	
	
		
 
    dbconf = config['sqlalchemy.url']

			




	
	
	
		
 
    log.debug('making test db %s', dbconf)

			




	
	
	
		
 

			




	
	
	
		
 
    # create test dir if it doesn't exist

			




	
	
	
		
 
    if not os.path.isdir(repos_test_path):

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.