@@ -38,7 +38,7 @@ except ImportError:
__version__ = ('.'.join((str(each) for each in VERSION[:3])) +
'.'.join(VERSION[3:]))
__dbversion__ = 9 # defines current db version for migrations
__dbversion__ = 10 # defines current db version for migrations
__platform__ = platform.system()
__license__ = 'GPLv3'
__py_version__ = sys.version_info
@@ -222,6 +222,10 @@ def make_map(config):
action="add_email", conditions=dict(method=["PUT"]))
m.connect("user_emails_delete", "/users_emails/{id}",
action="delete_email", conditions=dict(method=["DELETE"]))
m.connect("user_ips", "/users_ips/{id}",
action="add_ip", conditions=dict(method=["PUT"]))
m.connect("user_ips_delete", "/users_ips/{id}",
action="delete_ip", conditions=dict(method=["DELETE"]))
#ADMIN USERS GROUPS REST ROUTES
with rmap.submapper(path_prefix=ADMIN_PREFIX,
@@ -33,11 +33,12 @@ from pylons.controllers.util import abor
from pylons.i18n.translation import _
from rhodecode.lib import helpers as h
from rhodecode.lib.auth import LoginRequired, HasPermissionAllDecorator
from rhodecode.lib.auth import LoginRequired, HasPermissionAllDecorator,\
AuthUser
from rhodecode.lib.base import BaseController, render
from rhodecode.model.forms import DefaultPermissionsForm
from rhodecode.model.permission import PermissionModel
from rhodecode.model.db import User
from rhodecode.model.db import User, UserIpMap
from rhodecode.model.meta import Session
log = logging.getLogger(__name__)
@@ -105,36 +106,41 @@ class PermissionsController(BaseControll
# h.form(url('permission', id=ID),
# method='put')
# url('permission', id=ID)
permission_model = PermissionModel()
if id == 'default':
c.user = default_user = User.get_by_username('default')
c.perm_user = AuthUser(user_id=default_user.user_id)
c.user_ip_map = UserIpMap.query()\
.filter(UserIpMap.user == default_user).all()
_form = DefaultPermissionsForm([x[0] for x in self.repo_perms_choices],
[x[0] for x in self.group_perms_choices],
[x[0] for x in self.register_choices],
[x[0] for x in self.create_choices],
[x[0] for x in self.fork_choices])()
_form = DefaultPermissionsForm(
[x[0] for x in self.repo_perms_choices],
try:
form_result = _form.to_python(dict(request.POST))
form_result.update({'perm_user_name': id})
permission_model.update(form_result)
Session().commit()
h.flash(_('Default permissions updated successfully'),
category='success')
except formencode.Invalid, errors:
defaults = errors.value
return htmlfill.render(
render('admin/permissions/permissions.html'),
defaults=defaults,
errors=errors.error_dict or {},
prefix_error=False,
encoding="UTF-8")
except Exception:
log.error(traceback.format_exc())
h.flash(_('error occurred during update of permissions'),
category='error')
return redirect(url('edit_permission', id=id))
@@ -157,10 +163,11 @@ class PermissionsController(BaseControll
#this form can only edit default user permissions
default_user = User.get_by_username('default')
defaults = {'_method': 'put',
'anonymous': default_user.active}
defaults = {'anonymous': default_user.active}
for p in default_user.user_perms:
if p.permission.permission_name.startswith('repository.'):
defaults['default_repo_perm'] = p.permission.permission_name
@@ -181,7 +188,7 @@ class PermissionsController(BaseControll
encoding="UTF-8",
force_defaults=True,
force_defaults=False
)
else:
return redirect(url('admin_home'))
@@ -41,7 +41,7 @@ from rhodecode.lib.auth import LoginRequ
from rhodecode.model.db import User, UserEmailMap
from rhodecode.model.db import User, UserEmailMap, UserIpMap
from rhodecode.model.forms import UserForm
from rhodecode.model.user import UserModel
@@ -159,7 +159,7 @@ class UsersController(BaseController):
user_model = UserModel()
c.user = user_model.get(id)
c.ldap_dn = c.user.ldap_dn
c.perm_user = AuthUser(user_id=id)
c.perm_user = AuthUser(user_id=id, ip_addr=self.ip_addr)
_form = UserForm(edit=True, old_data={'user_id': id,
'email': c.user.email})()
form_result = {}
@@ -178,6 +178,8 @@ class UsersController(BaseController):
c.user_email_map = UserEmailMap.query()\
.filter(UserEmailMap.user == c.user).all()
.filter(UserIpMap.user == c.user).all()
e = errors.error_dict or {}
defaults.update({
@@ -231,12 +233,14 @@ class UsersController(BaseController):
h.flash(_("You can't edit this user"), category='warning')
return redirect(url('users'))
c.user.permissions = {}
c.granted_permissions = UserModel().fill_perms(c.user)\
.permissions['global']
defaults = c.user.get_dict()
@@ -299,7 +303,6 @@ class UsersController(BaseController):
"""POST /user_emails:Add an existing item"""
# url('user_emails', id=ID, method='put')
#TODO: validation and form !!!
email = request.POST.get('new_email')
@@ -324,3 +327,36 @@ class UsersController(BaseController):
h.flash(_("Removed email from user"), category='success')
return redirect(url('edit_user', id=id))
def add_ip(self, id):
"""POST /user_ips:Add an existing item"""
# url('user_ips', id=ID, method='put')
ip = request.POST.get('new_ip')
user_model.add_extra_ip(id, ip)
h.flash(_("Added ip %s to user") % ip, category='success')
except formencode.Invalid, error:
msg = error.error_dict['ip']
h.flash(msg, category='error')
h.flash(_('An error occurred during ip saving'),
if 'default_user' in request.POST:
return redirect(url('edit_permission', id='default'))
def delete_ip(self, id):
"""DELETE /user_ips_delete/id: Delete an existing item"""
# url('user_ips_delete', id=ID, method='delete')
user_model.delete_extra_ip(id, request.POST.get('del_ip'))
h.flash(_("Removed ip from user"), category='success')
@@ -43,7 +43,7 @@ from webob.exc import HTTPNotFound, HTTP
HTTPBadRequest, HTTPError
from rhodecode.lib.auth import AuthUser
from rhodecode.lib.auth import AuthUser, check_ip_access
from rhodecode.lib.base import _get_ip_addr, _get_access_path
from rhodecode.lib.utils2 import safe_unicode
@@ -99,6 +99,7 @@ class JSONRPCController(WSGIController):
controller and if it exists, dispatch to it.
"""
start = time.time()
ip_addr = self._get_ip_addr(environ)
self._req_id = None
if 'CONTENT_LENGTH' not in environ:
log.debug("No Content-Length")
@@ -144,7 +145,17 @@ class JSONRPCController(WSGIController):
if u is None:
return jsonrpc_error(retid=self._req_id,
message='Invalid API KEY')
auth_u = AuthUser(u.user_id, self._req_api_key)
#check if we are allowed to use this IP
allowed_ips = AuthUser.get_allowed_ips(u.user_id)
if check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips) is False:
log.info('Access for IP:%s forbidden, '
'not in %s' % (ip_addr, allowed_ips))
message='request from IP:%s not allowed' % (ip_addr))
log.info('Access for IP:%s allowed' % (ip_addr))
auth_u = AuthUser(u.user_id, self._req_api_key, ip_addr=ip_addr)
except Exception, e:
@@ -140,6 +140,9 @@ class ApiController(JSONRPCController):
errors that happens
def _get_ip_addr(self, environ):
from rhodecode.lib.base import _get_ip_addr
return _get_ip_addr(environ)
@HasPermissionAllDecorator('hg.admin')
def pull(self, apiuser, repoid):
@@ -45,7 +45,7 @@ from rhodecode.lib.auth_ldap import Auth
from rhodecode.model import meta
from rhodecode.model.db import Permission, RhodeCodeSetting, User
from rhodecode.model.db import Permission, RhodeCodeSetting, User, UserIpMap
@@ -313,11 +313,12 @@ class AuthUser(object):
in
def __init__(self, user_id=None, api_key=None, username=None):
def __init__(self, user_id=None, api_key=None, username=None, ip_addr=None):
self.user_id = user_id
self.api_key = None
self.username = username
self.ip_addr = ip_addr
self.name = ''
self.lastname = ''
@@ -326,6 +327,7 @@ class AuthUser(object):
self.admin = False
self.inherit_default_permissions = False
self.permissions = {}
self.allowed_ips = set()
self._api_key = api_key
self.propagate_data()
self._instance = None
@@ -375,6 +377,8 @@ class AuthUser(object):
log.debug('Auth User is now %s' % self)
user_model.fill_perms(self)
log.debug('Filling Allowed IPs')
self.allowed_ips = AuthUser.get_allowed_ips(self.user_id)
@property
def is_admin(self):
@@ -406,6 +410,14 @@ class AuthUser(object):
api_key = cookie_store.get('api_key')
return AuthUser(user_id, api_key, username)
@classmethod
def get_allowed_ips(cls, user_id):
_set = set()
user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id).all()
for ip in user_ips:
_set.add(ip.ip_addr)
return _set or set(['0.0.0.0/0'])
def set_available_permissions(config):
@@ -821,3 +833,19 @@ class HasPermissionAnyMiddleware(object)
return False
def check_ip_access(source_ip, allowed_ips=None):
Checks if source_ip is a subnet of any of allowed_ips.
:param source_ip:
:param allowed_ips: list of allowed ips together with mask
from rhodecode.lib import ipaddr
log.debug('checking if ip:%s is subnet of %s' % (source_ip, allowed_ips))
if isinstance(allowed_ips, (tuple, list, set)):
for ip in allowed_ips:
if ipaddr.IPAddress(source_ip) in ipaddr.IPNetwork(ip):
return True
@@ -20,7 +20,7 @@ from rhodecode import __version__, BACKE
from rhodecode.lib.utils2 import str2bool, safe_unicode, AttributeDict,\
safe_str, safe_int
from rhodecode.lib.auth import AuthUser, get_container_username, authfunc,\
HasPermissionAnyMiddleware, CookieStoreWrapper
HasPermissionAnyMiddleware, CookieStoreWrapper, check_ip_access
from rhodecode.lib.utils import get_repo_slug, invalidate_cache
@@ -101,7 +101,7 @@ class BaseVCSController(object):
#authenticate this mercurial request using authfunc
self.authenticate = BasicAuth('', authfunc,
config.get('auth_ret_code'))
self.ipaddr = '0.0.0.0'
self.ip_addr = '0.0.0.0'
def _handle_request(self, environ, start_response):
raise NotImplementedError()
@@ -136,7 +136,7 @@ class BaseVCSController(object):
invalidate_cache('get_repo_cached_%s' % repo_name)
def _check_permission(self, action, user, repo_name):
def _check_permission(self, action, user, repo_name, ip_addr=None):
Checks permissions using action (push/pull) user and repository
name
@@ -145,6 +145,14 @@ class BaseVCSController(object):
:param user: user instance
:param repo_name: repository name
#check IP
allowed_ips = AuthUser.get_allowed_ips(user.user_id)
if action == 'push':
if not HasPermissionAnyMiddleware('repository.write',
'repository.admin')(user,
@@ -235,6 +243,9 @@ class BaseVCSController(object):
class BaseController(WSGIController):
def __before__(self):
__before__ is called before controller methods and after __call__
c.rhodecode_version = __version__
c.rhodecode_instanceid = config.get('instance_id')
c.rhodecode_name = config.get('rhodecode_title')
@@ -258,7 +269,6 @@ class BaseController(WSGIController):
self.sa = meta.Session
self.scm_model = ScmModel(self.sa)
self.ip_addr = ''
def __call__(self, environ, start_response):
"""Invoke the Controller"""
@@ -273,7 +283,7 @@ class BaseController(WSGIController):
cookie_store = CookieStoreWrapper(session.get('rhodecode_user'))
user_id = cookie_store.get('user_id', None)
username = get_container_username(environ, config)
auth_user = AuthUser(user_id, api_key, username)
auth_user = AuthUser(user_id, api_key, username, self.ip_addr)
request.user = auth_user
self.rhodecode_user = c.rhodecode_user = auth_user
if not self.rhodecode_user.is_authenticated and \
@@ -286,6 +286,9 @@ class DbManage(object):
'Please validate and check default permissions '
'in admin panel')
def step_10(self):
pass
upgrade_steps = [0] + range(curr_version + 1, __dbversion__ + 1)
# CALL THE PROPER ORDER OF STEPS TO PERFORM FULL UPGRADE
new file 100644
import logging
import datetime
from sqlalchemy import *
from sqlalchemy.exc import DatabaseError
from sqlalchemy.orm import relation, backref, class_mapper, joinedload
from sqlalchemy.orm.session import Session
from sqlalchemy.ext.declarative import declarative_base
from rhodecode.lib.dbmigrate.migrate import *
from rhodecode.lib.dbmigrate.migrate.changeset import *
from rhodecode.model.meta import Base
def upgrade(migrate_engine):
Upgrade operations go here.
Don't create your own engine; bind migrate_engine to your metadata
#==========================================================================
# USER LOGS
from rhodecode.lib.dbmigrate.schema.db_1_5_0 import UserIpMap
tbl = UserIpMap.__table__
tbl.create()
def downgrade(migrate_engine):
meta = MetaData()
meta.bind = migrate_engine
@@ -1164,3 +1164,10 @@ def not_mapped_error(repo_name):
' it was created or renamed from the filesystem'
' please run the application again'
' in order to rescan repositories') % repo_name, category='error')
def ip_range(ip_addr):
from rhodecode.model.db import UserIpMap
s, e = UserIpMap._get_ip_range(ip_addr)
return '%s - %s' % (s, e)
# Copyright 2007 Google Inc.
# Licensed to PSF under a Contributor Agreement.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied. See the License for the specific language governing
# permissions and limitations under the License.
"""A fast, lightweight IPv4/IPv6 manipulation library in Python.
This library is used to create/poke/manipulate IPv4 and IPv6 addresses
and networks.
__version__ = 'trunk'
import struct
IPV4LENGTH = 32
IPV6LENGTH = 128
class AddressValueError(ValueError):
"""A Value Error related to the address."""
class NetmaskValueError(ValueError):
"""A Value Error related to the netmask."""
def IPAddress(address, version=None):
"""Take an IP string/int and return an object of the correct type.
Args:
address: A string or integer, the IP address. Either IPv4 or
IPv6 addresses may be supplied; integers less than 2**32 will
be considered to be IPv4 by default.
version: An Integer, 4 or 6. If set, don't try to automatically
determine what the IP address type is. important for things
like IPAddress(1), which could be IPv4, '0.0.0.1', or IPv6,
'::1'.
Returns:
An IPv4Address or IPv6Address object.
Raises:
ValueError: if the string passed isn't either a v4 or a v6
address.
if version:
if version == 4:
return IPv4Address(address)
elif version == 6:
return IPv6Address(address)
except (AddressValueError, NetmaskValueError):
raise ValueError('%r does not appear to be an IPv4 or IPv6 address' %
address)
def IPNetwork(address, version=None, strict=False):
version: An Integer, if set, don't try to automatically
like IPNetwork(1), which could be IPv4, '0.0.0.1/32', or IPv6,
'::1/128'.
An IPv4Network or IPv6Network object.
address. Or if a strict network was requested and a strict
network wasn't given.
return IPv4Network(address, strict)
return IPv6Network(address, strict)
raise ValueError('%r does not appear to be an IPv4 or IPv6 network' %
def v4_int_to_packed(address):
"""The binary representation of this address.
address: An integer representation of an IPv4 IP address.
The binary representation of this address.
ValueError: If the integer is too large to be an IPv4 IP
if address > _BaseV4._ALL_ONES:
raise ValueError('Address too large for IPv4')
return Bytes(struct.pack('!I', address))
def v6_int_to_packed(address):
address: An integer representation of an IPv6 IP address.
return Bytes(struct.pack('!QQ', address >> 64, address & (2 ** 64 - 1)))
def _find_address_range(addresses):
"""Find a sequence of addresses.
addresses: a list of IPv4 or IPv6 addresses.
A tuple containing the first and last IP addresses in the sequence.
first = last = addresses[0]
for ip in addresses[1:]:
if ip._ip == last._ip + 1:
last = ip
break
return (first, last)
def _get_prefix_length(number1, number2, bits):
"""Get the number of leading bits that are same for two numbers.
number1: an integer.
number2: another integer.
bits: the maximum number of bits to compare.
The number of leading bits that are the same for two numbers.
for i in range(bits):
if number1 >> i == number2 >> i:
return bits - i
return 0
def _count_righthand_zero_bits(number, bits):
"""Count the number of zero bits on the right hand side.
number: an integer.
bits: maximum number of bits to count.
The number of zero bits on the right hand side of the number.
if number == 0:
return bits
if (number >> i) % 2:
return i
def summarize_address_range(first, last):
"""Summarize a network range given the first and last IP addresses.
Example:
>>> summarize_address_range(IPv4Address('1.1.1.0'),
IPv4Address('1.1.1.130'))
[IPv4Network('1.1.1.0/25'), IPv4Network('1.1.1.128/31'),
IPv4Network('1.1.1.130/32')]
first: the first IPv4Address or IPv6Address in the range.
last: the last IPv4Address or IPv6Address in the range.
The address range collapsed to a list of IPv4Network's or
IPv6Network's.
Raise:
TypeError:
If the first and last objects are not IP addresses.
If the first and last objects are not the same version.
ValueError:
If the last object is not greater than the first.
If the version is not 4 or 6.
if not (isinstance(first, _BaseIP) and isinstance(last, _BaseIP)):
raise TypeError('first and last must be IP addresses, not networks')
if first.version != last.version:
raise TypeError("%s and %s are not of the same version" % (
str(first), str(last)))
if first > last:
raise ValueError('last IP address must be greater than first')
networks = []
if first.version == 4:
ip = IPv4Network
elif first.version == 6:
ip = IPv6Network
raise ValueError('unknown IP version')
ip_bits = first._max_prefixlen
first_int = first._ip
last_int = last._ip
while first_int <= last_int:
nbits = _count_righthand_zero_bits(first_int, ip_bits)
current = None
while nbits >= 0:
addend = 2 ** nbits - 1
current = first_int + addend
nbits -= 1
if current <= last_int:
prefix = _get_prefix_length(first_int, current, ip_bits)
net = ip('%s/%d' % (str(first), prefix))
networks.append(net)
if current == ip._ALL_ONES:
first_int = current + 1
first = IPAddress(first_int, version=first._version)
return networks
def _collapse_address_list_recursive(addresses):
"""Loops through the addresses, collapsing concurrent netblocks.
ip1 = IPv4Network('1.1.0.0/24')
ip2 = IPv4Network('1.1.1.0/24')
ip3 = IPv4Network('1.1.2.0/24')
ip4 = IPv4Network('1.1.3.0/24')
ip5 = IPv4Network('1.1.4.0/24')
ip6 = IPv4Network('1.1.0.1/22')
_collapse_address_list_recursive([ip1, ip2, ip3, ip4, ip5, ip6]) ->
[IPv4Network('1.1.0.0/22'), IPv4Network('1.1.4.0/24')]
This shouldn't be called directly; it is called via
collapse_address_list([]).
addresses: A list of IPv4Network's or IPv6Network's
A list of IPv4Network's or IPv6Network's depending on what we were
passed.
ret_array = []
optimized = False
for cur_addr in addresses:
if not ret_array:
ret_array.append(cur_addr)
continue
if cur_addr in ret_array[-1]:
optimized = True
elif cur_addr == ret_array[-1].supernet().subnet()[1]:
ret_array.append(ret_array.pop().supernet())
if optimized:
return _collapse_address_list_recursive(ret_array)
return ret_array
def collapse_address_list(addresses):
"""Collapse a list of IP objects.
collapse_address_list([IPv4('1.1.0.0/24'), IPv4('1.1.1.0/24')]) ->
[IPv4('1.1.0.0/23')]
addresses: A list of IPv4Network or IPv6Network objects.
A list of IPv4Network or IPv6Network objects depending on what we
were passed.
TypeError: If passed a list of mixed version objects.
i = 0
addrs = []
ips = []
nets = []
# split IP addresses and networks
for ip in addresses:
if isinstance(ip, _BaseIP):
if ips and ips[-1]._version != ip._version:
str(ip), str(ips[-1])))
ips.append(ip)
elif ip._prefixlen == ip._max_prefixlen:
ips.append(ip.ip)
if nets and nets[-1]._version != ip._version:
str(ip), str(nets[-1])))
nets.append(ip)
# sort and dedup
ips = sorted(set(ips))
nets = sorted(set(nets))
while i < len(ips):
(first, last) = _find_address_range(ips[i:])
i = ips.index(last) + 1
addrs.extend(summarize_address_range(first, last))
return _collapse_address_list_recursive(sorted(
addrs + nets, key=_BaseNet._get_networks_key))
# backwards compatibility
CollapseAddrList = collapse_address_list
# We need to distinguish between the string and packed-bytes representations
# of an IP address. For example, b'0::1' is the IPv4 address 48.58.58.49,
# while '0::1' is an IPv6 address.
# In Python 3, the native 'bytes' type already provides this functionality,
# so we use it directly. For earlier implementations where bytes is not a
# distinct type, we create a subclass of str to serve as a tag.
# Usage example (Python 2):
# ip = ipaddr.IPAddress(ipaddr.Bytes('xxxx'))
# Usage example (Python 3):
# ip = ipaddr.IPAddress(b'xxxx')
if bytes is str:
raise TypeError("bytes is not a distinct type")
Bytes = bytes
except (NameError, TypeError):
class Bytes(str):
def __repr__(self):
return 'Bytes(%s)' % str.__repr__(self)
def get_mixed_type_key(obj):
"""Return a key suitable for sorting between networks and addresses.
Address and Network objects are not sortable by default; they're
fundamentally different so the expression
IPv4Address('1.1.1.1') <= IPv4Network('1.1.1.1/24')
doesn't make any sense. There are some times however, where you may wish
to have ipaddr sort these for you anyway. If you need to do this, you
can use this function as the key= argument to sorted().
obj: either a Network or Address object.
appropriate key.
if isinstance(obj, _BaseNet):
return obj._get_networks_key()
elif isinstance(obj, _BaseIP):
return obj._get_address_key()
return NotImplemented
class _IPAddrBase(object):
"""The mother class."""
def __index__(self):
return self._ip
def __int__(self):
def __hex__(self):
return hex(self._ip)
def exploded(self):
"""Return the longhand version of the IP address as a string."""
return self._explode_shorthand_ip_string()
def compressed(self):
"""Return the shorthand version of the IP address as a string."""
return str(self)
class _BaseIP(_IPAddrBase):
"""A generic IP object.
This IP class contains the version independent methods which are
used by single IP addresses.
def __eq__(self, other):
return (self._ip == other._ip
and self._version == other._version)
except AttributeError:
def __ne__(self, other):
eq = self.__eq__(other)
if eq is NotImplemented:
return not eq
def __le__(self, other):
gt = self.__gt__(other)
if gt is NotImplemented:
return not gt
def __ge__(self, other):
lt = self.__lt__(other)
if lt is NotImplemented:
return not lt
def __lt__(self, other):
if self._version != other._version:
raise TypeError('%s and %s are not of the same version' % (
str(self), str(other)))
if not isinstance(other, _BaseIP):
raise TypeError('%s and %s are not of the same type' % (
if self._ip != other._ip:
return self._ip < other._ip
def __gt__(self, other):
return self._ip > other._ip
# Shorthand for Integer addition and subtraction. This is not
# meant to ever support addition/subtraction of addresses.
def __add__(self, other):
if not isinstance(other, int):
return IPAddress(int(self) + other, version=self._version)
def __sub__(self, other):
return IPAddress(int(self) - other, version=self._version)
return '%s(%r)' % (self.__class__.__name__, str(self))
def __str__(self):
return '%s' % self._string_from_ip_int(self._ip)
def __hash__(self):
return hash(hex(long(self._ip)))
def _get_address_key(self):
return (self._version, self)
def version(self):
raise NotImplementedError('BaseIP has no version')
class _BaseNet(_IPAddrBase):
used by networks.
def __init__(self, address):
self._cache = {}
def iterhosts(self):
"""Generate Iterator over usable hosts in a network.
This is like __iter__ except it doesn't return the network
or broadcast addresses.
cur = int(self.network) + 1
bcast = int(self.broadcast) - 1
while cur <= bcast:
cur += 1
yield IPAddress(cur - 1, version=self._version)
def __iter__(self):
cur = int(self.network)
bcast = int(self.broadcast)
def __getitem__(self, n):
network = int(self.network)
broadcast = int(self.broadcast)
if n >= 0:
if network + n > broadcast:
raise IndexError
return IPAddress(network + n, version=self._version)
n += 1
if broadcast + n < network:
return IPAddress(broadcast + n, version=self._version)
if not isinstance(other, _BaseNet):
if self.network != other.network:
return self.network < other.network
if self.netmask != other.netmask:
return self.netmask < other.netmask
return self.network > other.network
return self.netmask > other.netmask
return (self._version == other._version
and self.network == other.network
and int(self.netmask) == int(other.netmask))
if isinstance(other, _BaseIP):
and self._ip == other._ip)
return '%s/%s' % (str(self.ip),
str(self._prefixlen))
return hash(int(self.network) ^ int(self.netmask))
def __contains__(self, other):
# always false if one is v4 and the other is v6.
# dealing with another network.
if isinstance(other, _BaseNet):
return (self.network <= other.network and
self.broadcast >= other.broadcast)
# dealing with another address
return (int(self.network) <= int(other._ip) <=
int(self.broadcast))
def overlaps(self, other):
"""Tell if self is partly contained in other."""
return self.network in other or self.broadcast in other or (
other.network in self or other.broadcast in self)
def network(self):
x = self._cache.get('network')
if x is None:
x = IPAddress(self._ip & int(self.netmask), version=self._version)
self._cache['network'] = x
return x
def broadcast(self):
x = self._cache.get('broadcast')
x = IPAddress(self._ip | int(self.hostmask), version=self._version)
self._cache['broadcast'] = x
def hostmask(self):
x = self._cache.get('hostmask')
x = IPAddress(int(self.netmask) ^ self._ALL_ONES,
version=self._version)
self._cache['hostmask'] = x
def with_prefixlen(self):
return '%s/%d' % (str(self.ip), self._prefixlen)
def with_netmask(self):
return '%s/%s' % (str(self.ip), str(self.netmask))
def with_hostmask(self):
return '%s/%s' % (str(self.ip), str(self.hostmask))
def numhosts(self):
"""Number of hosts in the current subnet."""
return int(self.broadcast) - int(self.network) + 1
raise NotImplementedError('BaseNet has no version')
def prefixlen(self):
return self._prefixlen
def address_exclude(self, other):
"""Remove an address from a larger block.
For example:
addr1 = IPNetwork('10.1.1.0/24')
addr2 = IPNetwork('10.1.1.0/26')
addr1.address_exclude(addr2) =
[IPNetwork('10.1.1.64/26'), IPNetwork('10.1.1.128/25')]
or IPv6:
addr1 = IPNetwork('::1/32')
addr2 = IPNetwork('::1/128')
addr1.address_exclude(addr2) = [IPNetwork('::0/128'),
IPNetwork('::2/127'),
IPNetwork('::4/126'),
IPNetwork('::8/125'),
...
IPNetwork('0:0:8000::/33')]
other: An IPvXNetwork object of the same type.
A sorted list of IPvXNetwork objects addresses which is self
minus other.
TypeError: If self and other are of difffering address
versions, or if other is not a network object.
ValueError: If other is not completely contained by self.
if not self._version == other._version:
raise TypeError("%s is not a network object" % str(other))
if other not in self:
raise ValueError('%s not contained in %s' % (str(other),
str(self)))
if other == self:
return []
ret_addrs = []
# Make sure we're comparing the network of other.
other = IPNetwork('%s/%s' % (str(other.network), str(other.prefixlen)),
version=other._version)
s1, s2 = self.subnet()
while s1 != other and s2 != other:
if other in s1:
ret_addrs.append(s2)
s1, s2 = s1.subnet()
elif other in s2:
ret_addrs.append(s1)
s1, s2 = s2.subnet()
# If we got here, there's a bug somewhere.
assert True == False, ('Error performing exclusion: '
's1: %s s2: %s other: %s' %
(str(s1), str(s2), str(other)))
if s1 == other:
elif s2 == other:
return sorted(ret_addrs, key=_BaseNet._get_networks_key)
def compare_networks(self, other):
"""Compare two IP objects.
This is only concerned about the comparison of the integer
representation of the network addresses. This means that the
host bits aren't considered at all in this method. If you want
to compare host bits, you can easily enough do a
'HostA._ip < HostB._ip'
other: An IP object.
If the IP versions of self and other are the same, returns:
-1 if self < other:
eg: IPv4('1.1.1.0/24') < IPv4('1.1.2.0/24')
IPv6('1080::200C:417A') < IPv6('1080::200B:417B')
0 if self == other
eg: IPv4('1.1.1.1/24') == IPv4('1.1.1.2/24')
IPv6('1080::200C:417A/96') == IPv6('1080::200C:417B/96')
1 if self > other
eg: IPv4('1.1.1.0/24') > IPv4('1.1.0.0/24')
IPv6('1080::1:200C:417A/112') >
IPv6('1080::0:200C:417A/112')
If the IP versions of self and other are different, returns:
-1 if self._version < other._version
eg: IPv4('10.0.0.1/24') < IPv6('::1/128')
1 if self._version > other._version
eg: IPv6('::1/128') > IPv4('255.255.255.0/24')
if self._version < other._version:
return -1
if self._version > other._version:
return 1
# self._version == other._version below here:
if self.network < other.network:
if self.network > other.network:
# self.network == other.network below here:
if self.netmask < other.netmask:
if self.netmask > other.netmask:
# self.network == other.network and self.netmask == other.netmask
def _get_networks_key(self):
"""Network-only key function.
Returns an object that identifies this address' network and
netmask. This function is a suitable "key" argument for sorted()
and list.sort().
return (self._version, self.network, self.netmask)
def _ip_int_from_prefix(self, prefixlen=None):
"""Turn the prefix length netmask into a int for comparison.
prefixlen: An integer, the prefix length.
An integer.
if not prefixlen and prefixlen != 0:
prefixlen = self._prefixlen
return self._ALL_ONES ^ (self._ALL_ONES >> prefixlen)
def _prefix_from_ip_int(self, ip_int, mask=32):
"""Return prefix length from the decimal netmask.
ip_int: An integer, the IP address.
mask: The netmask. Defaults to 32.
An integer, the prefix length.
while mask:
if ip_int & 1 == 1:
ip_int >>= 1
mask -= 1
return mask
def _ip_string_from_prefix(self, prefixlen=None):
"""Turn a prefix length into a dotted decimal string.
prefixlen: An integer, the netmask prefix length.
A string, the dotted decimal netmask string.
if not prefixlen:
return self._string_from_ip_int(self._ip_int_from_prefix(prefixlen))
def iter_subnets(self, prefixlen_diff=1, new_prefix=None):
"""The subnets which join to make the current subnet.
In the case that self contains only one IP
(self._prefixlen == 32 for IPv4 or self._prefixlen == 128
for IPv6), return a list with just ourself.
prefixlen_diff: An integer, the amount the prefix length
should be increased by. This should not be set if
new_prefix is also set.
new_prefix: The desired new prefix length. This must be a
larger number (smaller prefix) than the existing prefix.
This should not be set if prefixlen_diff is also set.
An iterator of IPv(4|6) objects.
ValueError: The prefixlen_diff is too small or too large.
OR
prefixlen_diff and new_prefix are both set or new_prefix
is a smaller number than the current prefix (smaller
number means a larger network)
if self._prefixlen == self._max_prefixlen:
yield self
return
if new_prefix is not None:
if new_prefix < self._prefixlen:
raise ValueError('new prefix must be longer')
if prefixlen_diff != 1:
raise ValueError('cannot set prefixlen_diff and new_prefix')
prefixlen_diff = new_prefix - self._prefixlen
if prefixlen_diff < 0:
raise ValueError('prefix length diff must be > 0')
new_prefixlen = self._prefixlen + prefixlen_diff
if not self._is_valid_netmask(str(new_prefixlen)):
raise ValueError(
'prefix length diff %d is invalid for netblock %s' % (
new_prefixlen, str(self)))
first = IPNetwork('%s/%s' % (str(self.network),
str(self._prefixlen + prefixlen_diff)),
yield first
current = first
while True:
broadcast = current.broadcast
if broadcast == self.broadcast:
new_addr = IPAddress(int(broadcast) + 1, version=self._version)
current = IPNetwork('%s/%s' % (str(new_addr), str(new_prefixlen)),
yield current
def masked(self):
"""Return the network object with the host bits masked out."""
return IPNetwork('%s/%d' % (self.network, self._prefixlen),
def subnet(self, prefixlen_diff=1, new_prefix=None):
"""Return a list of subnets, rather than an iterator."""
return list(self.iter_subnets(prefixlen_diff, new_prefix))
def supernet(self, prefixlen_diff=1, new_prefix=None):
"""The supernet containing the current network.
prefixlen_diff: An integer, the amount the prefix length of
the network should be decreased by. For example, given a
/24 network and a prefixlen_diff of 3, a supernet with a
/21 netmask is returned.
An IPv4 network object.
ValueError: If self.prefixlen - prefixlen_diff < 0. I.e., you have a
negative prefix length.
If prefixlen_diff and new_prefix are both set or new_prefix is a
larger number than the current prefix (larger number means a
smaller network)
if self._prefixlen == 0:
return self
if new_prefix > self._prefixlen:
raise ValueError('new prefix must be shorter')
prefixlen_diff = self._prefixlen - new_prefix
if self.prefixlen - prefixlen_diff < 0:
'current prefixlen is %d, cannot have a prefixlen_diff of %d' %
(self.prefixlen, prefixlen_diff))
return IPNetwork('%s/%s' % (str(self.network),
str(self.prefixlen - prefixlen_diff)),
Subnet = subnet
Supernet = supernet
AddressExclude = address_exclude
CompareNetworks = compare_networks
Contains = __contains__
class _BaseV4(object):
"""Base IPv4 object.
The following methods are used by IPv4 objects in both single IP
addresses and networks.
# Equivalent to 255.255.255.255 or 32 bits of 1's.
_ALL_ONES = (2 ** IPV4LENGTH) - 1
_DECIMAL_DIGITS = frozenset('0123456789')
self._version = 4
self._max_prefixlen = IPV4LENGTH
def _explode_shorthand_ip_string(self):
def _ip_int_from_string(self, ip_str):
"""Turn the given IP string into an integer for comparison.
ip_str: A string, the IP ip_str.
The IP ip_str as an integer.
AddressValueError: if ip_str isn't a valid IPv4 Address.
octets = ip_str.split('.')
if len(octets) != 4:
raise AddressValueError(ip_str)
packed_ip = 0
for oc in octets:
packed_ip = (packed_ip << 8) | self._parse_octet(oc)
except ValueError:
return packed_ip
def _parse_octet(self, octet_str):
"""Convert a decimal octet into an integer.
octet_str: A string, the number to parse.
The octet as an integer.
ValueError: if the octet isn't strictly a decimal from [0..255].
# Whitelist the characters, since int() allows a lot of bizarre stuff.
if not self._DECIMAL_DIGITS.issuperset(octet_str):
raise ValueError
octet_int = int(octet_str, 10)
# Disallow leading zeroes, because no clear standard exists on
# whether these should be interpreted as decimal or octal.
if octet_int > 255 or (octet_str[0] == '0' and len(octet_str) > 1):
return octet_int
def _string_from_ip_int(self, ip_int):
"""Turns a 32-bit integer into dotted decimal notation.
The IP address as a string in dotted decimal notation.
octets = []
for _ in xrange(4):
octets.insert(0, str(ip_int & 0xFF))
ip_int >>= 8
return '.'.join(octets)
def max_prefixlen(self):
return self._max_prefixlen
def packed(self):
"""The binary representation of this address."""
return v4_int_to_packed(self._ip)
return self._version
def is_reserved(self):
"""Test if the address is otherwise IETF reserved.
A boolean, True if the address is within the
reserved IPv4 Network range.
return self in IPv4Network('240.0.0.0/4')
def is_private(self):
"""Test if this address is allocated for private networks.
A boolean, True if the address is reserved per RFC 1918.
return (self in IPv4Network('10.0.0.0/8') or
self in IPv4Network('172.16.0.0/12') or
self in IPv4Network('192.168.0.0/16'))
def is_multicast(self):
"""Test if the address is reserved for multicast use.
A boolean, True if the address is multicast.
See RFC 3171 for details.
return self in IPv4Network('224.0.0.0/4')
def is_unspecified(self):
"""Test if the address is unspecified.
A boolean, True if this is the unspecified address as defined in
RFC 5735 3.
return self in IPv4Network('0.0.0.0')
def is_loopback(self):
"""Test if the address is a loopback address.
A boolean, True if the address is a loopback per RFC 3330.
return self in IPv4Network('127.0.0.0/8')
def is_link_local(self):
"""Test if the address is reserved for link-local.
A boolean, True if the address is link-local per RFC 3927.
return self in IPv4Network('169.254.0.0/16')
class IPv4Address(_BaseV4, _BaseIP):
"""Represent and manipulate single IPv4 Addresses."""
address: A string or integer representing the IP
'192.168.1.1'
Additionally, an integer can be passed, so
IPv4Address('192.168.1.1') == IPv4Address(3232235777).
or, more generally
IPv4Address(int(IPv4Address('192.168.1.1'))) ==
IPv4Address('192.168.1.1')
AddressValueError: If ipaddr isn't a valid IPv4 address.
_BaseV4.__init__(self, address)
# Efficient constructor from integer.
if isinstance(address, (int, long)):
self._ip = address
if address < 0 or address > self._ALL_ONES:
raise AddressValueError(address)
# Constructing from a packed address
if isinstance(address, Bytes):
self._ip, = struct.unpack('!I', address)
except struct.error:
raise AddressValueError(address) # Wrong length.
# Assume input argument to be string or any object representation
# which converts into a formatted IP string.
addr_str = str(address)
self._ip = self._ip_int_from_string(addr_str)
class IPv4Network(_BaseV4, _BaseNet):
"""This class represents and manipulates 32-bit IPv4 networks.
Attributes: [examples for IPv4Network('1.2.3.4/27')]
._ip: 16909060
.ip: IPv4Address('1.2.3.4')
.network: IPv4Address('1.2.3.0')
.hostmask: IPv4Address('0.0.0.31')
.broadcast: IPv4Address('1.2.3.31')
.netmask: IPv4Address('255.255.255.224')
.prefixlen: 27
# the valid octets for host and netmasks. only useful for IPv4.
_valid_mask_octets = set((255, 254, 252, 248, 240, 224, 192, 128, 0))
def __init__(self, address, strict=False):
"""Instantiate a new IPv4 network object.
address: A string or integer representing the IP [& network].
'192.168.1.1/24'
'192.168.1.1/255.255.255.0'
'192.168.1.1/0.0.0.255'
are all functionally the same in IPv4. Similarly,
'192.168.1.1/255.255.255.255'
'192.168.1.1/32'
are also functionaly equivalent. That is to say, failing to
provide a subnetmask will create an object with a mask of /32.
If the mask (portion after the / in the argument) is given in
dotted quad form, it is treated as a netmask if it starts with a
non-zero field (e.g. /255.0.0.0 == /8) and as a hostmask if it
starts with a zero field (e.g. 0.255.255.255 == /8), with the
single exception of an all-zero mask which is treated as a
netmask == /0. If no mask is given, a default of /32 is used.
IPv4Network('192.168.1.1') == IPv4Network(3232235777).
IPv4Network(int(IPv4Network('192.168.1.1'))) ==
IPv4Network('192.168.1.1')
strict: A boolean. If true, ensure that we have been passed
A true network address, eg, 192.168.1.0/24 and not an
IP address on a network, eg, 192.168.1.1/24.
NetmaskValueError: If the netmask isn't valid for
an IPv4 address.
ValueError: If strict was True and a network address was not
supplied.
_BaseNet.__init__(self, address)
# Constructing from an integer or packed bytes.
if isinstance(address, (int, long, Bytes)):
self.ip = IPv4Address(address)
self._ip = self.ip._ip
self._prefixlen = self._max_prefixlen
self.netmask = IPv4Address(self._ALL_ONES)
# which converts into a formatted IP prefix string.
addr = str(address).split('/')
if len(addr) > 2:
self._ip = self._ip_int_from_string(addr[0])
self.ip = IPv4Address(self._ip)
if len(addr) == 2:
mask = addr[1].split('.')
if len(mask) == 4:
# We have dotted decimal netmask.
if self._is_valid_netmask(addr[1]):
self.netmask = IPv4Address(self._ip_int_from_string(
addr[1]))
elif self._is_hostmask(addr[1]):
self.netmask = IPv4Address(
self._ip_int_from_string(addr[1]) ^ self._ALL_ONES)
raise NetmaskValueError('%s is not a valid netmask'
% addr[1])
self._prefixlen = self._prefix_from_ip_int(int(self.netmask))
# We have a netmask in prefix length form.
if not self._is_valid_netmask(addr[1]):
raise NetmaskValueError(addr[1])
self._prefixlen = int(addr[1])
self.netmask = IPv4Address(self._ip_int_from_prefix(
self._prefixlen))
if strict:
if self.ip != self.network:
raise ValueError('%s has host bits set' %
self.ip)
if self._prefixlen == (self._max_prefixlen - 1):
self.iterhosts = self.__iter__
def _is_hostmask(self, ip_str):
"""Test if the IP string is a hostmask (rather than a netmask).
ip_str: A string, the potential hostmask.
A boolean, True if the IP string is a hostmask.
bits = ip_str.split('.')
parts = [int(x) for x in bits if int(x) in self._valid_mask_octets]
if len(parts) != len(bits):
if parts[0] < parts[-1]:
def _is_valid_netmask(self, netmask):
"""Verify that the netmask is valid.
netmask: A string, either a prefix or dotted decimal
netmask.
A boolean, True if the prefix represents a valid IPv4
mask = netmask.split('.')
if [x for x in mask if int(x) not in self._valid_mask_octets]:
if [y for idx, y in enumerate(mask) if idx > 0 and
y > mask[idx - 1]]:
netmask = int(netmask)
return 0 <= netmask <= self._max_prefixlen
IsRFC1918 = lambda self: self.is_private
IsMulticast = lambda self: self.is_multicast
IsLoopback = lambda self: self.is_loopback
IsLinkLocal = lambda self: self.is_link_local
class _BaseV6(object):
"""Base IPv6 object.
The following methods are used by IPv6 objects in both single IP
_ALL_ONES = (2 ** IPV6LENGTH) - 1
_HEXTET_COUNT = 8
_HEX_DIGITS = frozenset('0123456789ABCDEFabcdef')
self._version = 6
self._max_prefixlen = IPV6LENGTH
"""Turn an IPv6 ip_str into an integer.
ip_str: A string, the IPv6 ip_str.
A long, the IPv6 ip_str.
AddressValueError: if ip_str isn't a valid IPv6 Address.
parts = ip_str.split(':')
# An IPv6 address needs at least 2 colons (3 parts).
if len(parts) < 3:
# If the address has an IPv4-style suffix, convert it to hexadecimal.
if '.' in parts[-1]:
ipv4_int = IPv4Address(parts.pop())._ip
parts.append('%x' % ((ipv4_int >> 16) & 0xFFFF))
parts.append('%x' % (ipv4_int & 0xFFFF))
# An IPv6 address can't have more than 8 colons (9 parts).
if len(parts) > self._HEXTET_COUNT + 1:
# Disregarding the endpoints, find '::' with nothing in between.
# This indicates that a run of zeroes has been skipped.
skip_index, = (
[i for i in xrange(1, len(parts) - 1) if not parts[i]] or
[None])
# Can't have more than one '::'
# parts_hi is the number of parts to copy from above/before the '::'
# parts_lo is the number of parts to copy from below/after the '::'
if skip_index is not None:
# If we found a '::', then check if it also covers the endpoints.
parts_hi = skip_index
parts_lo = len(parts) - skip_index - 1
if not parts[0]:
parts_hi -= 1
if parts_hi:
raise AddressValueError(ip_str) # ^: requires ^::
if not parts[-1]:
parts_lo -= 1
if parts_lo:
raise AddressValueError(ip_str) # :$ requires ::$
parts_skipped = self._HEXTET_COUNT - (parts_hi + parts_lo)
if parts_skipped < 1:
# Otherwise, allocate the entire address to parts_hi. The endpoints
# could still be empty, but _parse_hextet() will check for that.
if len(parts) != self._HEXTET_COUNT:
parts_hi = len(parts)
parts_lo = 0
parts_skipped = 0
# Now, parse the hextets into a 128-bit integer.
ip_int = 0L
for i in xrange(parts_hi):
ip_int <<= 16
ip_int |= self._parse_hextet(parts[i])
ip_int <<= 16 * parts_skipped
for i in xrange(-parts_lo, 0):
return ip_int
def _parse_hextet(self, hextet_str):
"""Convert an IPv6 hextet string into an integer.
hextet_str: A string, the number to parse.
The hextet as an integer.
ValueError: if the input isn't strictly a hex number from [0..FFFF].
if not self._HEX_DIGITS.issuperset(hextet_str):
if len(hextet_str) > 4:
hextet_int = int(hextet_str, 16)
if hextet_int > 0xFFFF:
return hextet_int
def _compress_hextets(self, hextets):
"""Compresses a list of hextets.
Compresses a list of strings, replacing the longest continuous
sequence of "0" in the list with "" and adding empty strings at
the beginning or at the end of the string such that subsequently
calling ":".join(hextets) will produce the compressed version of
the IPv6 address.
hextets: A list of strings, the hextets to compress.
A list of strings.
best_doublecolon_start = -1
best_doublecolon_len = 0
doublecolon_start = -1
doublecolon_len = 0
for index in range(len(hextets)):
if hextets[index] == '0':
doublecolon_len += 1
if doublecolon_start == -1:
# Start of a sequence of zeros.
doublecolon_start = index
if doublecolon_len > best_doublecolon_len:
# This is the longest sequence of zeros so far.
best_doublecolon_len = doublecolon_len
best_doublecolon_start = doublecolon_start
if best_doublecolon_len > 1:
best_doublecolon_end = (best_doublecolon_start +
best_doublecolon_len)
# For zeros at the end of the address.
if best_doublecolon_end == len(hextets):
hextets += ['']
hextets[best_doublecolon_start:best_doublecolon_end] = ['']
# For zeros at the beginning of the address.
if best_doublecolon_start == 0:
hextets = [''] + hextets
return hextets
def _string_from_ip_int(self, ip_int=None):
"""Turns a 128-bit integer into hexadecimal notation.
A string, the hexadecimal representation of the address.
ValueError: The address is bigger than 128 bits of all ones.
if not ip_int and ip_int != 0:
ip_int = int(self._ip)
if ip_int > self._ALL_ONES:
raise ValueError('IPv6 address is too large')
hex_str = '%032x' % ip_int
hextets = []
for x in range(0, 32, 4):
hextets.append('%x' % int(hex_str[x:x + 4], 16))
hextets = self._compress_hextets(hextets)
return ':'.join(hextets)
"""Expand a shortened IPv6 address.
ip_str: A string, the IPv6 address.
A string, the expanded IPv6 address.
if isinstance(self, _BaseNet):
ip_str = str(self.ip)
ip_str = str(self)
ip_int = self._ip_int_from_string(ip_str)
parts = []
for i in xrange(self._HEXTET_COUNT):
parts.append('%04x' % (ip_int & 0xFFFF))
ip_int >>= 16
parts.reverse()
return '%s/%d' % (':'.join(parts), self.prefixlen)
return ':'.join(parts)
return v6_int_to_packed(self._ip)
A boolean, True if the address is a multicast address.
See RFC 2373 2.7 for details.
return self in IPv6Network('ff00::/8')
A boolean, True if the address is within one of the
reserved IPv6 Network ranges.
return (self in IPv6Network('::/8') or
self in IPv6Network('100::/8') or
self in IPv6Network('200::/7') or
self in IPv6Network('400::/6') or
self in IPv6Network('800::/5') or
self in IPv6Network('1000::/4') or
self in IPv6Network('4000::/3') or
self in IPv6Network('6000::/3') or
self in IPv6Network('8000::/3') or
self in IPv6Network('A000::/3') or
self in IPv6Network('C000::/3') or
self in IPv6Network('E000::/4') or
self in IPv6Network('F000::/5') or
self in IPv6Network('F800::/6') or
self in IPv6Network('FE00::/9'))
RFC 2373 2.5.2.
return self._ip == 0 and getattr(self, '_prefixlen', 128) == 128
A boolean, True if the address is a loopback address as defined in
RFC 2373 2.5.3.
return self._ip == 1 and getattr(self, '_prefixlen', 128) == 128
A boolean, True if the address is reserved per RFC 4291.
return self in IPv6Network('fe80::/10')
def is_site_local(self):
"""Test if the address is reserved for site-local.
Note that the site-local address space has been deprecated by RFC 3879.
Use is_private to test if this address is in the space of unique local
addresses as defined by RFC 4193.
A boolean, True if the address is reserved per RFC 3513 2.5.6.
return self in IPv6Network('fec0::/10')
A boolean, True if the address is reserved per RFC 4193.
return self in IPv6Network('fc00::/7')
def ipv4_mapped(self):
"""Return the IPv4 mapped address.
If the IPv6 address is a v4 mapped address, return the
IPv4 mapped address. Return None otherwise.
if (self._ip >> 32) != 0xFFFF:
return None
return IPv4Address(self._ip & 0xFFFFFFFF)
def teredo(self):
"""Tuple of embedded teredo IPs.
Tuple of the (server, client) IPs or None if the address
doesn't appear to be a teredo address (doesn't start with
2001::/32)
if (self._ip >> 96) != 0x20010000:
return (IPv4Address((self._ip >> 64) & 0xFFFFFFFF),
IPv4Address(~self._ip & 0xFFFFFFFF))
def sixtofour(self):
"""Return the IPv4 6to4 embedded address.
The IPv4 6to4-embedded address if present or None if the
address doesn't appear to contain a 6to4 embedded address.
if (self._ip >> 112) != 0x2002:
return IPv4Address((self._ip >> 80) & 0xFFFFFFFF)
class IPv6Address(_BaseV6, _BaseIP):
"""Represent and manipulate single IPv6 Addresses.
"""Instantiate a new IPv6 address object.
IPv6Address('2001:4860::') ==
IPv6Address(42541956101370907050197289607612071936L).
IPv6Address(IPv6Address('2001:4860::')._ip) ==
IPv6Address('2001:4860::')
AddressValueError: If address isn't a valid IPv6 address.
_BaseV6.__init__(self, address)
hi, lo = struct.unpack('!QQ', address)
self._ip = (hi << 64) | lo
if not addr_str:
raise AddressValueError('')
class IPv6Network(_BaseV6, _BaseNet):
"""This class represents and manipulates 128-bit IPv6 networks.
Attributes: [examples for IPv6('2001:658:22A:CAFE:200::1/64')]
.ip: IPv6Address('2001:658:22a:cafe:200::1')
.network: IPv6Address('2001:658:22a:cafe::')
.hostmask: IPv6Address('::ffff:ffff:ffff:ffff')
.broadcast: IPv6Address('2001:658:22a:cafe:ffff:ffff:ffff:ffff')
.netmask: IPv6Address('ffff:ffff:ffff:ffff::')
.prefixlen: 64
"""Instantiate a new IPv6 Network object.
address: A string or integer representing the IPv6 network or the IP
and prefix/netmask.
'2001:4860::/128'
'2001:4860:0000:0000:0000:0000:0000:0000/128'
'2001:4860::'
are all functionally the same in IPv6. That is to say,
failing to provide a subnetmask will create an object with
a mask of /128.
IPv6Network('2001:4860::') ==
IPv6Network(42541956101370907050197289607612071936L).
IPv6Network(IPv6Network('2001:4860::')._ip) ==
IPv6Network('2001:4860::')
an IPv6 address.
self.ip = IPv6Address(address)
self.netmask = IPv6Address(self._ALL_ONES)
self.ip = IPv6Address(self._ip)
self.netmask = IPv6Address(self._ip_int_from_prefix(self._prefixlen))
def _is_valid_netmask(self, prefixlen):
"""Verify that the netmask/prefixlen is valid.
prefixlen: A string, the netmask in prefix length format.
A boolean, True if the prefix represents a valid IPv6
prefixlen = int(prefixlen)
return 0 <= prefixlen <= self._max_prefixlen
return self.with_prefixlen
@@ -109,7 +109,7 @@ class SimpleGit(BaseVCSController):
if not self._check_ssl(environ, start_response):
return HTTPNotAcceptable('SSL REQUIRED !')(environ, start_response)
ipaddr = self._get_ip_addr(environ)
username = None
self._git_first_op = False
# skip passing error to error controller
@@ -140,7 +140,7 @@ class SimpleGit(BaseVCSController):
anonymous_user = self.__get_user('default')
username = anonymous_user.username
anonymous_perm = self._check_permission(action, anonymous_user,
repo_name)
repo_name, ip_addr)
if anonymous_perm is not True or anonymous_user.active is False:
if anonymous_perm is not True:
@@ -182,7 +182,7 @@ class SimpleGit(BaseVCSController):
return HTTPInternalServerError()(environ, start_response)
#check permissions for this repository
perm = self._check_permission(action, user, repo_name)
perm = self._check_permission(action, user, repo_name, ip_addr)
if perm is not True:
return HTTPForbidden()(environ, start_response)
@@ -191,7 +191,7 @@ class SimpleGit(BaseVCSController):
from rhodecode import CONFIG
server_url = get_server_url(environ)
extras = {
'ip': ipaddr,
'ip': ip_addr,
'username': username,
'action': action,
'repository': repo_name,
@@ -73,7 +73,7 @@ class SimpleHg(BaseVCSController):
environ['pylons.status_code_redirect'] = True
@@ -103,7 +103,7 @@ class SimpleHg(BaseVCSController):
@@ -145,7 +145,7 @@ class SimpleHg(BaseVCSController):
@@ -154,7 +154,7 @@ class SimpleHg(BaseVCSController):
@@ -518,6 +518,33 @@ class UserEmailMap(Base, BaseModel):
self._email = val.lower() if val else None
class UserIpMap(Base, BaseModel):
__tablename__ = 'user_ip_map'
__table_args__ = (
UniqueConstraint('user_id', 'ip_addr'),
{'extend_existing': True, 'mysql_engine': 'InnoDB',
'mysql_charset': 'utf8'}
__mapper_args__ = {}
ip_id = Column("ip_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
ip_addr = Column("ip_addr", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=False, default=None)
user = relationship('User', lazy='joined')
def _get_ip_range(cls, ip_addr):
net = ipaddr.IPv4Network(ip_addr)
return [str(net.network), str(net.broadcast)]
def __json__(self):
return dict(
ip_addr=self.ip_addr,
ip_range=self._get_ip_range(self.ip_addr)
class UserLog(Base, BaseModel):
__tablename__ = 'user_logs'
@@ -637,6 +664,7 @@ class Repository(Base, BaseModel):
landing_rev = Column("landing_revision", String(255, convert_unicode=False, assert_unicode=None), nullable=False, unique=False, default=None)
enable_locking = Column("enable_locking", Boolean(), nullable=False, unique=None, default=False)
_locked = Column("locked", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=False, default=None)
#changeset_cache = Column("changeset_cache", LargeBinary(), nullable=False) #JSON data
fork_id = Column("fork_id", Integer(), ForeignKey('repositories.repo_id'), nullable=True, unique=False, default=None)
group_id = Column("group_id", Integer(), ForeignKey('groups.group_id'), nullable=True, unique=False, default=None)
@@ -345,9 +345,14 @@ def LdapSettingsForm(tls_reqcert_choices
def UserExtraEmailForm():
class _UserExtraEmailForm(formencode.Schema):
email = All(v.UniqSystemEmail(), v.Email)
email = All(v.UniqSystemEmail(), v.Email(not_empty=True))
return _UserExtraEmailForm
def UserExtraIpForm():
class _UserExtraIpForm(formencode.Schema):
ip = v.ValidIp()(not_empty=True)
return _UserExtraIpForm
def PullRequestForm(repo_id):
@@ -40,7 +40,7 @@ from rhodecode.model import BaseModel
from rhodecode.model.db import User, UserRepoToPerm, Repository, Permission, \
UserToPerm, UsersGroupRepoToPerm, UsersGroupToPerm, UsersGroupMember, \
Notification, RepoGroup, UserRepoGroupToPerm, UsersGroupRepoGroupToPerm, \
UserEmailMap
UserEmailMap, UserIpMap
from rhodecode.lib.exceptions import DefaultUserException, \
UserOwnsReposException
@@ -705,3 +705,33 @@ class UserModel(BaseModel):
obj = UserEmailMap.query().get(email_id)
if obj:
self.sa.delete(obj)
def add_extra_ip(self, user, ip):
Adds ip address to UserIpMap
:param user:
:param ip:
from rhodecode.model import forms
form = forms.UserExtraIpForm()()
data = form.to_python(dict(ip=ip))
user = self._get_user(user)
obj = UserIpMap()
obj.user = user
obj.ip_addr = data['ip']
self.sa.add(obj)
return obj
def delete_extra_ip(self, user, ip_id):
Removes ip address from UserIpMap
:param ip_id:
obj = UserIpMap.query().get(ip_id)
@@ -11,7 +11,7 @@ from webhelpers.pylonslib.secure_form im
from formencode.validators import (
UnicodeString, OneOf, Int, Number, Regex, Email, Bool, StringBoolean, Set,
NotEmpty
NotEmpty, IPAddress, CIDR
from rhodecode.lib.compat import OrderedSet
from rhodecode.lib.utils import repo_name_slug
@@ -23,7 +23,7 @@ from rhodecode.lib.auth import HasReposG
# silence warnings and pylint
UnicodeString, OneOf, Int, Number, Regex, Email, Bool, StringBoolean, Set, \
@@ -706,3 +706,40 @@ def NotReviewedRevisions(repo_id):
return _validator
def ValidIp():
class _validator(CIDR):
messages = dict(
badFormat=_('Please enter a valid IP address (a.b.c.d)'),
illegalOctets=_('The octets must be within the range of 0-255'
' (not %(octet)r)'),
illegalBits=_('The network size (bits) must be within the range'
' of 0-32 (not %(bits)r)'))
def validate_python(self, value, state):
# Split into octets and bits
if '/' in value: # a.b.c.d/e
addr, bits = value.split('/')
else: # a.b.c.d
addr, bits = value, 32
# Use IPAddress validator to validate the IP part
IPAddress.validate_python(self, addr, state)
# Bits (netmask) correct?
if not 0 <= int(bits) <= 32:
raise formencode.Invalid(
self.message('illegalBits', state, bits=bits),
value, state)
# Splitting faild: wrong syntax
raise formencode.Invalid(self.message('badFormat', state),
def to_python(self, value, state):
v = super(_validator, self).to_python(value, state)
#if IP doesn't end with a mask, add /32
if '/' not in value:
v += '/32'
return v
@@ -4040,6 +4040,22 @@ div#legend_container table td,div#legend
float: left
}
.ips_wrap{
padding: 0px 20px;
.ips_wrap .ip_entry{
height: 30px;
padding:0px 0px 0px 10px;
.ips_wrap .ip_entry .ip{
.ips_wrap .ip_entry .ip_action{
/*README STYLE*/
div.readme {
@@ -16,7 +16,7 @@
</%def>
<%def name="main()">
<div class="box">
<div class="box box-left">
<!-- box / title -->
<div class="title">
${self.breadcrumbs()}
@@ -89,10 +89,127 @@
</div>
<div class="buttons">
${h.submit('set',_('set'),class_="ui-btn large")}
${h.submit('save',_('Save'),class_="ui-btn large")}
${h.reset('reset',_('Reset'),class_="ui-btn large")}
${h.end_form()}
<div style="min-height:780px" class="box box-right">
<h5>${_('Default User Permissions')}</h5>
## permissions overview
<div id="perms" class="table">
%for section in sorted(c.perm_user.permissions.keys()):
<div class="perms_section_head">${section.replace("_"," ").capitalize()}</div>
%if not c.perm_user.permissions[section]:
<span class="empty_data">${_('Nothing here yet')}</span>
%else:
<div id='tbl_list_wrap_${section}' class="yui-skin-sam">
<table id="tbl_list_${section}">
<thead>
<tr>
<th class="left">${_('Name')}</th>
<th class="left">${_('Permission')}</th>
<th class="left">${_('Edit Permission')}</th>
</thead>
<tbody>
%for k in c.perm_user.permissions[section]:
<%
if section != 'global':
section_perm = c.perm_user.permissions[section].get(k)
_perm = section_perm.split('.')[-1]
_perm = section_perm = None
%>
<td>
%if section == 'repositories':
<a href="${h.url('summary_home',repo_name=k)}">${k}</a>
%elif section == 'repositories_groups':
<a href="${h.url('repos_group_home',group_name=k)}">${k}</a>
${h.get_permission_name(k)}
%endif
</td>
%if section == 'global':
${h.bool2icon(k.split('.')[-1] != 'none')}
<span class="perm_tag ${_perm}">${section_perm}</span>
<a href="${h.url('edit_repo',repo_name=k,anchor='permissions_manage')}">${_('edit')}</a>
<a href="${h.url('edit_repos_group',id=k,anchor='permissions_manage')}">${_('edit')}</a>
--
</tr>
%endfor
</tbody>
</table>
<div class="box box-left" style="clear:left">
<h5>${_('Allowed IP addresses')}</h5>
<div class="ips_wrap">
<table class="noborder">
%if c.user_ip_map:
%for ip in c.user_ip_map:
<td><div class="ip">${ip.ip_addr}</div></td>
<td><div class="ip">${h.ip_range(ip.ip_addr)}</div></td>
${h.form(url('user_ips_delete', id=c.user.user_id),method='delete')}
${h.hidden('del_ip',ip.ip_id)}
${h.hidden('default_user', 'True')}
${h.submit('remove_',_('delete'),id="remove_ip_%s" % ip.ip_id,
class_="delete_icon action_button", onclick="return confirm('"+_('Confirm to delete this ip: %s') % ip.ip_addr+"');")}
<tr><td><div class="ip">${_('All IP addresses are allowed')}</div></td></tr>
${h.form(url('user_ips', id=c.user.user_id),method='put')}
<div class="form">
<!-- fields -->
<div class="fields">
<div class="field">
<div class="label">
<label for="new_ip">${_('New ip address')}:</label>
<div class="input">
${h.text('new_ip', class_='medium')}
${h.submit('save',_('Add'),class_="ui-btn large")}
@@ -43,7 +43,11 @@
<label>${_('API key')}</label> ${c.user.api_key}
<label>${_('Your IP')}</label> ${c.perm_user.ip_addr or "?"}
@@ -271,7 +275,7 @@
<label for="email">${_('New email address')}:</label>
<label for="new_email">${_('New email address')}:</label>
${h.text('new_email', class_='medium')}
@@ -285,4 +289,52 @@
Status change: