From 1c011b45ffb1a25292198bcc309e43aaa15b0ef5 Mon Sep 17 00:00:00 2001 From: Francesco Siddi Date: Sun, 11 Oct 2015 22:52:57 +0200 Subject: [PATCH] Removed previous authentication logic Should not have functional changes. --- pillar/application/__init__.py | 120 +--------------- pillar/application/pre_hooks.py | 237 -------------------------------- 2 files changed, 6 insertions(+), 351 deletions(-) delete mode 100644 pillar/application/pre_hooks.py diff --git a/pillar/application/__init__.py b/pillar/application/__init__.py index 5fc36fae..2260ebbc 100644 --- a/pillar/application/__init__.py +++ b/pillar/application/__init__.py @@ -19,13 +19,6 @@ from flask import request from flask import url_for from flask import abort -from pre_hooks import pre_GET -from pre_hooks import pre_PUT -from pre_hooks import pre_PATCH -from pre_hooks import pre_POST -from pre_hooks import pre_DELETE -# from pre_hooks import check_permissions -# from pre_hooks import compute_permissions from datetime import datetime from datetime import timedelta @@ -140,59 +133,17 @@ def validate_token(): setattr(g, 'current_user', current_user) -class TokensAuth(TokenAuth): - def check_auth(self, token, allowed_roles, resource, method): - if not token: - return False - - validate_token() - - # if dbtoken: - # check_permissions(dbtoken['user']) - # return True - - # return validation['valid'] - return True - - -class BasicsAuth(BasicAuth): - def check_auth(self, username, password, allowed_roles, resource, method): - # return username == 'admin' and password == 'secret' - print username - print password - return True - - -class CustomTokenAuth(BasicsAuth): - """Switch between Basic and Token auth""" - def __init__(self): - self.token_auth = TokensAuth() - self.authorized_protected = BasicsAuth.authorized - - def authorized(self, allowed_roles, resource, method): - # if resource == 'tokens': - if False: - return self.authorized_protected( - self, allowed_roles, resource, method) - else: - print 'is auth' - return self.token_auth.authorized(allowed_roles, resource, method) - - def authorized_protected(self): - pass - - class NewAuth(TokenAuth): def check_auth(self, token, allowed_roles, resource, method): if not token: return False else: - print '---' - print 'validating' - print token - print resource - print method - print '---' + # print '---' + # print 'validating' + # print token + # print resource + # print method + # print '---' validate_token() return True @@ -273,65 +224,6 @@ client = MongoClient(app.config['MONGO_HOST'], 27017) db = client.eve -def global_validation(): - token_data = validate_token() - if token_data: - setattr(g, 'token_data', token_data) - #setattr(g, 'validate', validate(token_data['token'])) - check_permissions(token_data['user'], app.data.driver) - else: - print 'NO TOKEN' - - -def pre_GET_nodes(request, lookup): - # Only get allowed documents - global_validation() - # print ("Get") - # print ("Owner: {0}".format(g.get('owner_permissions'))) - # print ("World: {0}".format(g.get('world_permissions'))) - return pre_GET(request, lookup, app.data.driver) - - -def pre_PUT_nodes(request, lookup): - # Only Update allowed documents - global_validation() - # print ("Put") - # print ("Owner: {0}".format(g.get('owner_permissions'))) - # print ("World: {0}".format(g.get('world_permissions'))) - return pre_PUT(request, lookup, app.data.driver) - - -def pre_PATCH_nodes(request): - return pre_PATCH(request, app.data.driver) - - -def pre_POST_nodes(request): - # global_validation() - # print ("Post") - # print ("World: {0}".format(g.get('world_permissions'))) - # print ("Group: {0}".format(g.get('groups_permissions'))) - # return pre_POST(request, app.data.driver) - print 'pre posting' - print request - - -def pre_DELETE_nodes(request, lookup): - # Only Delete allowed documents - global_validation() - # print ("Delete") - # print ("Owner: {0}".format(type_owner_permissions)) - # print ("World: {0}".format(type_world_permissions)) - # print ("Groups: {0}".format(type_groups_permissions)) - return pre_DELETE(request, lookup, app.data.driver) - - -#app.on_pre_GET_nodes += pre_GET_nodes -app.on_pre_POST_nodes += pre_POST_nodes -# app.on_pre_PATCH_nodes += pre_PATCH_nodes -#app.on_pre_PUT_nodes += pre_PUT_nodes -app.on_pre_DELETE_nodes += pre_DELETE_nodes - - def check_permissions(resource, method): """Check user permissions to access a node. We look up node permissions from world to groups to users and match them with the computed user permissions. diff --git a/pillar/application/pre_hooks.py b/pillar/application/pre_hooks.py deleted file mode 100644 index 0cf76251..00000000 --- a/pillar/application/pre_hooks.py +++ /dev/null @@ -1,237 +0,0 @@ -import json -from flask import g -from flask import abort -from flask import request - -from bson import ObjectId - -# from application import app - - -def permissions_lookup(action, lookup): - type_world_permissions = g.get('type_world_permissions') - type_owner_permissions = g.get('type_owner_permissions') - node_types = [] - # Get all node_types allowed by world: - for perm in type_world_permissions: - if action in type_world_permissions[perm]: - node_types.append(str(perm)) - # Get all nodes with node_type allowed by owner if user == owner - owner_lookup = [] - for perm in type_owner_permissions: - if action in type_owner_permissions[perm]: - if action not in type_world_permissions[perm]: - # If one of the following is true - # If node_type==node_type and user==user - owner_lookup.append( - {'$and': [{'node_type': str(perm)}, - {'user': str(g.get('token_data')['user'])}]}) - lookup['$or'] = [{'node_type': {'$in': node_types}}] - if len(owner_lookup) > 0: - lookup['$or'].append({'$or': owner_lookup}) - return lookup - - -def pre_GET(request, lookup, data_driver): - action = 'GET' - if 'token_type' not in lookup and '_id' not in request.view_args: - # Is quering for all nodes (mixed types) - lookup = permissions_lookup(action, lookup) - else: - # Is quering for one specific node - if action not in g.get('world_permissions') and \ - action not in g.get('groups_permissions'): - lookup['user'] = g.get('token_data')['user'] - # token_data = validate_token() - # validate(token_data['token']) - - # lookup["userr"] = "user" - # print ("Lookup") - # print (lookup) - - -def pre_PUT(request, lookup, data_driver): - action = 'UPDATE' - if 'token_type' not in lookup and '_id' not in request.view_args: - # Is updating all nodes (mixed types) - lookup = permissions_lookup(action, lookup) - else: - # Is updating one specific node - if action not in g.get('world_permissions') and \ - action not in g.get('groups_permissions'): - lookup['user'] = g.get('token_data')['user'] - - # print ("Lookup") - # print (lookup) - - -def pre_PATCH(request, lookup, data_driver): - print ("Patch") - - -def pre_POST(request, data_driver): - # Only Post allowed documents - action = 'POST' - #print(g.get('type_groups_permissions')) - print(g.get('groups_permissions')) - print(g.get('world_permissions')) - # Is quering for one specific node - if action not in g.get('world_permissions') and \ - action not in g.get('groups_permissions'): - abort(403) - - -def pre_DELETE(request, lookup, data_driver): - type_world_permissions = g.get('type_world_permissions') - type_owner_permissions = g.get('type_owner_permissions') - type_groups_permissions = g.get('type_groups_permissions') - action = 'DELETE' - - if '_id' in lookup: - nodes = data_driver.db['nodes'] - dbnode = nodes.find_one({'_id': ObjectId(lookup['_id'])}) - # print (dbnode.count()) - node_type = str(dbnode['node_type']) - if g.get('token_data')['user'] == dbnode['user']: - owner = True - else: - owner = False - if action not in type_world_permissions[node_type] and \ - action not in type_groups_permissions[node_type]: - if action not in type_owner_permissions[node_type]: - print ("Abort1") - abort(403) - else: - if not owner: - print ("Abort2") - abort(403) - else: - print ("Abort3") - abort(403) - - -def compute_permissions(user, data_driver): - node_type = None - dbnode = None - owner_permissions = [] - world_permissions = [] - groups_permissions = [] - groups = data_driver.db['groups'] - users = data_driver.db['users'] - # The hardcoded owners group. In this group we define the default permission - # level that the user associated with a node has. These permissions can be - # overridden by custom group and world. - owner_group = groups.find_one({'name': 'owner'}) - # The world group is always evaluated, especially when the user is not logged - # in. - world_group = groups.find_one({'name': 'world'}) - user_data = users.find_one({'_id': ObjectId(user)}) - # If we are requesting a specific node - try: - uuid = request.path.split("/")[2] - nodes = data_driver.db['nodes'] - lookup = {'_id': ObjectId(uuid)} - dbnode = nodes.find_one(lookup) - except IndexError: - pass - if dbnode: - # If a node object is found, extract the node_type ObjectID - node_type = str(dbnode['node_type']) - - # If we are creating a new node, we get the node_type ObjectID from the request - json_data = None - # TODO(fsiddi): handle creation vs everything else in a more efficient way - try: - json_data = json.loads(request.data) - except ValueError: - pass - if not node_type and json_data: - if 'node_type' in json_data: - node_type = json_data['node_type'] - - # Extract query lookup - # which node_type is asking for? - # TODO(fsiddi): It's not clear if this code is being used at all - - # for arg in request.args: - # if arg == 'where': - # try: - # where = json.loads(request.args[arg]) - # except ValueError: - # raise - # if where.get('node_type'): - # node_type = where.get('node_type') - # break - - # Get and store permissions for that node_type - type_owner_permissions = {} - type_world_permissions = {} - type_groups_permissions = {} - type_mixed_permissions = {} - - for perm in owner_group['permissions']: - # Build the global type_owner_permission dictionary - type_owner_permissions[str(perm['node_type'])] = perm['permissions'] - if str(perm['node_type']) == node_type: - # If a node_type ObjectID matches the requested node_type, populate - # the actual owner permissions for the current user - owner_permissions = perm['permissions'] - - for perm in world_group['permissions']: - # Build the global type_owner_permission dictionary - type_world_permissions[str(perm['node_type'])] = perm['permissions'] - if str(perm['node_type']) == node_type: - # If a node_type ObjectID matches the requested node_type, populate - # the actual world permissions in relation to the current user - world_permissions = perm['permissions'] - - # Adding empty permissions - if str(perm['node_type']) not in type_groups_permissions: - type_groups_permissions[str(perm['node_type'])] = [] - - # This dictionary will hold the combined permissions. Why? - type_mixed_permissions = type_world_permissions - - # Get group ObjectID associated with the requesting user - groups_data = user_data.get('groups') - if groups_data: - for group in groups_data: - group_data = groups.find_one({'_id': ObjectId(group)}) - for perm in group_data['permissions']: - # Populate the group permissions. This searches in the - # type_groups_permissions dict, which is generated previously - # using the world permissions. If a world permission is not - # defined for a certain node type, this will fail. - type_groups_permissions[str(perm['node_type'])] += \ - perm['permissions'] - type_mixed_permissions[str(perm['node_type'])] += \ - perm['permissions'] - if str(perm['node_type']) == node_type: - groups_permissions = perm['permissions'] - - return { - 'owner_permissions': owner_permissions, - 'world_permissions': world_permissions, - 'groups_permissions': groups_permissions, - 'type_owner_permissions': type_owner_permissions, - 'type_world_permissions': type_world_permissions, - 'type_groups_permissions': type_groups_permissions, - 'type_mixed_permissions': type_mixed_permissions - } - - -def check_permissions(user, data_driver): - # Entry point should be nodes - entry_point = request.path.split("/")[1] - if entry_point != 'nodes': - return - - permissions = compute_permissions(user, data_driver) - - # Store permission properties on global - setattr(g, 'owner_permissions', permissions['owner_permissions']) - setattr(g, 'world_permissions', permissions['world_permissions']) - setattr(g, 'groups_permissions', permissions['groups_permissions']) - setattr(g, 'type_owner_permissions', permissions['type_owner_permissions']) - setattr(g, 'type_world_permissions', permissions['type_world_permissions']) - setattr(g, 'type_groups_permissions', permissions['type_groups_permissions'])