kallithea Changeset - c961b78ff0a0

Changeset - c961b78ff0a0

Parent rev.

Child rev.

[Not reviewed]

default

0 1 0

Marcin Kuzminski - 15 years ago 2010-06-29 20:43:01
marcin@python-works.com

rewritten simplehg middleware. Now permissions are checked for each repository/request/user

1 file changed with 47 insertions and 20 deletions:

pylons_app/lib/middleware/simplehg.py

0 comments (0 inline, 0 general)

pylons_app/lib/middleware/simplehg.py

➞

Show inline comments

@@ @@ -17,97 +17,125 @@ @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
 # MA  02110-1301, USA.
 """
 Created on 2010-04-28
 @author: marcink
 SimpleHG middleware for handling mercurial protocol request (push/clone etc.)
 It's implemented with basic auth function
 """
 from datetime import datetime
 from itertools import chain
 from mercurial.hgweb import hgweb
 from mercurial.hgweb.request import wsgiapplication
 from paste.auth.basic import AuthBasicAuthenticator
 from paste.httpheaders import REMOTE_USER, AUTH_TYPE
 from pylons_app.lib.auth import authfunc
+from pylons_app.lib.auth import authfunc, HasPermissionAnyMiddleware
 from pylons_app.lib.utils import is_mercurial, make_ui, invalidate_cache
 from pylons_app.model import meta
 from pylons_app.model.db import UserLog, User
 from webob.exc import HTTPNotFound
+from webob.exc import HTTPNotFound, HTTPForbidden
 import logging
 import os
-from itertools import chain
+import traceback
 log = logging.getLogger(__name__)
 class SimpleHg(object):
     def __init__(self, application, config):
         self.application = application
         self.config = config
         #authenticate this mercurial request using
         realm = '%s %s' % (config['hg_app_name'], 'mercurial repository')
+        realm = '%s %s' % (self.config['hg_app_name'], 'mercurial repository')
         self.authenticate = AuthBasicAuthenticator(realm, authfunc)
     def __call__(self, environ, start_response):
         if not is_mercurial(environ):
             return self.application(environ, start_response)
         else:
             #===================================================================
             # AUTHENTICATE THIS MERCURIAL REQUEST
             #===================================================================
             username = REMOTE_USER(environ)
             if not username:
                 result = self.authenticate(environ)
                 if isinstance(result, str):
                     AUTH_TYPE.update(environ, 'basic')
                     REMOTE_USER.update(environ, result)
                 else:
                     return result.wsgi_application(environ, start_response)
             try:
                 repo_name = '/'.join(environ['PATH_INFO'].split('/')[1:])
             except Exception as e:
-                log.error(e)
+                log.error(traceback.format_exc())
                 return HTTPNotFound()(environ, start_response)
             #since we wrap into hgweb, just reset the path
             environ['PATH_INFO'] = '/'
             #===================================================================
             # CHECK PERMISSIONS FOR THIS REQUEST
             #===================================================================
             action = self.__get_action(environ)
             if action:
                 username = self.__get_environ_user(environ)
                 try:
                     sa = meta.Session
                     user = sa.query(User)\
                         .filter(User.username == username).one()
                 except:
                     return HTTPNotFound()(environ, start_response)
                 #check permissions for this repository
                 if action == 'pull':
                     if not HasPermissionAnyMiddleware('repository.read',
                                                       'repository.write',
                                                       'repository.admin')\
                                                         (user, repo_name):
                         return HTTPForbidden()(environ, start_response)
                 if action == 'push':
                     if not HasPermissionAnyMiddleware('repository.write',
                                                       'repository.admin')\
                                                         (user, repo_name):
                         return HTTPForbidden()(environ, start_response)
                 #log action
                 self.__log_user_action(user, action, repo_name)
             #===================================================================
             # MERCURIAL REQUEST HANDLING
             #===================================================================
             environ['PATH_INFO'] = '/'#since we wrap into hgweb, reset the path
             self.baseui = make_ui(self.config['hg_app_repo_conf'])
             self.basepath = self.baseui.configitems('paths')[0][1]\
                                                             .replace('*', '')
             self.basepath = self.config['base_path']
             self.repo_path = os.path.join(self.basepath, repo_name)
             try:
                 app = wsgiapplication(self.__make_app)
             except Exception as e:
                 log.error(e)
             except Exception:
                 log.error(traceback.format_exc())
                 return HTTPNotFound()(environ, start_response)
             action = self.__get_action(environ)
             #invalidate cache on push
             if action == 'push':
                 self.__invalidate_cache(repo_name)
             if action:
                 username = self.__get_environ_user(environ)
                 self.__log_user_action(username, action, repo_name)
             messages = ['thanks for using hg app !']
             return self.msg_wrapper(app, environ, start_response, messages)
     def msg_wrapper(self, app, environ, start_response, messages):
         """
         Wrapper for custom messages that come out of mercurial respond messages
         is a list of messages that the user will see at the end of response from
         merurial protocol actions that involves remote answers
         is a list of messages that the user will see at the end of response
         from merurial protocol actions that involves remote answers
         @param app:
         @param environ:
         @param start_response:
         """
         def custom_messages(msg_list):
             for msg in msg_list:
                 yield msg + '\n'
         org_response = app(environ, start_response)
         return chain(org_response, custom_messages(messages))
     def __make_app(self):
         hgserve = hgweb(self.repo_path)
@@ @@ -124,37 +152,36 @@ class SimpleHg(object): @@
         mapping = {
             'changegroup': 'pull',
             'changegroupsubset': 'pull',
             'unbundle': 'push',
             'stream_out': 'pull',
+        }
         for qry in environ['QUERY_STRING'].split('&'):
             if qry.startswith('cmd'):
                 cmd = qry.split('=')[-1]
                 if mapping.has_key(cmd):
                     return mapping[cmd]
-    def __log_user_action(self, username, action, repo):
+    def __log_user_action(self, user, action, repo):
         sa = meta.Session
         try:
             user = sa.query(User).filter(User.username == username).one()
             user_log = UserLog()
             user_log.user_id = user.user_id
             user_log.action = action
             user_log.repository = repo.replace('/', '')
             user_log.action_date = datetime.now()
             sa.add(user_log)
             sa.commit()
             log.info('Adding user %s, action %s on %s',
                                             username, action, repo)
+                                            user.username, action, repo)
         except Exception as e:
             sa.rollback()
             log.error('could not log user action:%s', str(e))
     def __invalidate_cache(self, repo_name):
         """we know that some change was made to repositories and we should
         invalidate the cache to see the changes right away but only for
         push requests"""
         invalidate_cache('cached_repo_list')
         invalidate_cache('full_changelog', repo_name)

0 comments (0 inline, 0 general)