#!/usr/bin/env python
# encoding: utf-8
# authentication and permission libraries
# Copyright (C) 2009-2010 Marcin Kuzminski <marcin@python-works.com>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; version 2
# of the License or (at your opinion) any later version of the license.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
# MA 02110-1301, USA.
"""
Created on April 4, 2010
@author: marcink
from beaker.cache import cache_region
from pylons import config, session, url, request
from pylons.controllers.util import abort, redirect
from pylons_app.lib.utils import get_repo_slug
from pylons_app.model import meta
from pylons_app.model.db import User, RepoToPerm, Repository, Permission
from sqlalchemy.exc import OperationalError
from sqlalchemy.orm.exc import NoResultFound, MultipleResultsFound
import crypt
import hashlib
from decorator import decorator
import logging
log = logging.getLogger(__name__)
def get_crypt_password(password):
Cryptographic function used for password hashing
"""Cryptographic function used for password hashing based on sha1
@param password: password to hash
return crypt.crypt(password, '6a')
hashed = hashlib.sha1(password).hexdigest()
return hashed[3:] + hashed[:3]
@cache_region('super_short_term', 'cached_user')
def get_user_cached(username):
sa = meta.Session
try:
user = sa.query(User).filter(User.username == username).one()
finally:
meta.Session.remove()
return user
def authfunc(environ, username, password):
password_crypt = get_crypt_password(password)
user = get_user_cached(username)
except (NoResultFound, MultipleResultsFound, OperationalError) as e:
log.error(e)
user = None
if user:
if user.active:
if user.username == username and user.password == password_crypt:
log.info('user %s authenticated correctly', username)
return True
else:
log.error('user %s is disabled', username)
return False
class AuthUser(object):
A simple object that handles a mercurial username for authentication
def __init__(self):
self.username = 'None'
self.name = ''
self.lastname = ''
self.email = ''
self.user_id = None
self.is_authenticated = False
self.is_admin = False
self.permissions = {}
def set_available_permissions(config):
This function will propagate pylons globals with all available defined
permission given in db. We don't wannt to check each time from db for new
permissions since adding a new permission also requires application restart
ie. to decorate new views with the newly created permission
@param config:
log.info('getting information about all available permissions')
all_perms = sa.query(Permission).all()
config['available_permissions'] = [x.permission_name for x in all_perms]
def set_base_path(config):
config['base_path'] = config['pylons.app_globals'].base_path
def fill_data(user):
Fills user data with those from database and log out user if not present
in database
@param user:
dbuser = sa.query(User).get(user.user_id)
if dbuser:
user.username = dbuser.username
user.is_admin = dbuser.admin
user.name = dbuser.name
user.lastname = dbuser.lastname
user.email = dbuser.email
user.is_authenticated = False
def fill_perms(user):
Fills user permission attribute with permissions taken from database
user.permissions['repositories'] = {}
user.permissions['global'] = set()
#first fetch default permissions
default_perms = sa.query(RepoToPerm, Repository, Permission)\
.join((Repository, RepoToPerm.repository_id == Repository.repo_id))\
.join((Permission, RepoToPerm.permission_id == Permission.permission_id))\
.filter(RepoToPerm.user_id == sa.query(User).filter(User.username ==
'default').one().user_id).all()
if user.is_admin:
user.permissions['global'].add('hg.admin')
#admin have all rights set to admin
for perm in default_perms:
p = 'repository.admin'
user.permissions['repositories'][perm.RepoToPerm.repository.repo_name] = p
user.permissions['global'].add('repository.create')
user.permissions['global'].add('hg.register')
if perm.Repository.private and not perm.Repository.user_id == user.user_id:
#disable defaults for private repos,
p = 'repository.none'
elif perm.Repository.user_id == user.user_id:
#set admin if owner
p = perm.Permission.permission_name
user_perms = sa.query(RepoToPerm, Permission, Repository)\
.filter(RepoToPerm.user_id == user.user_id).all()
#overwrite userpermissions with defaults
for perm in user_perms:
#set write if owner
if perm.Repository.user_id == user.user_id:
p = 'repository.write'
def get_user(session):
Gets user from session, and wraps permissions into user
@param session:
user = session.get('hg_app_user', AuthUser())
if user.is_authenticated:
user = fill_data(user)
user = fill_perms(user)
session['hg_app_user'] = user
session.save()
#===============================================================================
# CHECK DECORATORS
class LoginRequired(object):
"""Must be logged in to execute this function else redirect to login page"""
def __call__(self, func):
return decorator(self.__wrapper, func)
def __wrapper(self, func, *fargs, **fkwargs):
log.debug('Checking login required for user:%s', user.username)
log.debug('user %s is authenticated', user.username)
return func(*fargs, **fkwargs)
log.warn('user %s not authenticated', user.username)
log.debug('redirecting to login page')
return redirect(url('login_home'))
class PermsDecorator(object):
"""Base class for decorators"""
def __init__(self, *required_perms):
available_perms = config['available_permissions']
for perm in required_perms:
if perm not in available_perms:
raise Exception("'%s' permission is not defined" % perm)
self.required_perms = set(required_perms)
self.user_perms = None
# _wrapper.__name__ = func.__name__
# _wrapper.__dict__.update(func.__dict__)
# _wrapper.__doc__ = func.__doc__
self.user_perms = session.get('hg_app_user', AuthUser()).permissions
log.debug('checking %s permissions %s for %s',
self.__class__.__name__, self.required_perms, func.__name__)
if self.check_permissions():
log.debug('Permission granted for %s', func.__name__)
log.warning('Permission denied for %s', func.__name__)
#redirect with forbidden ret code
return abort(403)
def check_permissions(self):
"""Dummy function for overriding"""
raise Exception('You have to write this function in child class')
class HasPermissionAllDecorator(PermsDecorator):
"""Checks for access permission for all given predicates. All of them
have to be meet in order to fulfill the request
if self.required_perms.issubset(self.user_perms.get('global')):
class HasPermissionAnyDecorator(PermsDecorator):
"""Checks for access permission for any of given predicates. In order to
fulfill the request any of predicates must be meet
if self.required_perms.intersection(self.user_perms.get('global')):
class HasRepoPermissionAllDecorator(PermsDecorator):
"""Checks for access permission for all given predicates for specific
repository. All of them have to be meet in order to fulfill the request
repo_name = get_repo_slug(request)
user_perms = set([self.user_perms['repositories'][repo_name]])
except KeyError:
Status change: