archive/pillar
0
0
Fork 0
Code Issues 42 Pull Requests Projects Releases Wiki Activity

Removed previous authentication logic

Browse Source 
Should not have functional changes.
This commit is contained in:
Francesco Siddi 2015-10-11 22:52:57 +02:00
parent 018ddfa20b
commit 1c011b45ff
2 changed files with 6 additions and 351 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

120
pillar/application/__init__.py
View File

@ -19,13 +19,6 @@ from flask import request
from flask import url_for from flask import url_for
from flask import abort from flask import abort
from pre_hooks import pre_GET
from pre_hooks import pre_PUT
from pre_hooks import pre_PATCH
from pre_hooks import pre_POST
from pre_hooks import pre_DELETE
# from pre_hooks import check_permissions
# from pre_hooks import compute_permissions
from datetime import datetime from datetime import datetime
from datetime import timedelta from datetime import timedelta
@ -140,59 +133,17 @@ def validate_token():
setattr(g, 'current_user', current_user) setattr(g, 'current_user', current_user)
class TokensAuth(TokenAuth):
def check_auth(self, token, allowed_roles, resource, method):
if not token:
return False
validate_token()
# if dbtoken:
# check_permissions(dbtoken['user'])
# return True
# return validation['valid']
return True
class BasicsAuth(BasicAuth):
def check_auth(self, username, password, allowed_roles, resource, method):
# return username == 'admin' and password == 'secret'
print username
print password
return True
class CustomTokenAuth(BasicsAuth):
"""Switch between Basic and Token auth"""
def __init__(self):
self.token_auth = TokensAuth()
self.authorized_protected = BasicsAuth.authorized
def authorized(self, allowed_roles, resource, method):
# if resource == 'tokens':
if False:
return self.authorized_protected(
self, allowed_roles, resource, method)
else:
print 'is auth'
return self.token_auth.authorized(allowed_roles, resource, method)
def authorized_protected(self):
pass
class NewAuth(TokenAuth): class NewAuth(TokenAuth):
def check_auth(self, token, allowed_roles, resource, method): def check_auth(self, token, allowed_roles, resource, method):
if not token: if not token:
return False return False
else: else:
print '---' # print '---'
print 'validating' # print 'validating'
print token # print token
print resource # print resource
print method # print method
print '---' # print '---'
validate_token() validate_token()
return True return True
@ -273,65 +224,6 @@ client = MongoClient(app.config['MONGO_HOST'], 27017)
db = client.eve db = client.eve
def global_validation():
token_data = validate_token()
if token_data:
setattr(g, 'token_data', token_data)
#setattr(g, 'validate', validate(token_data['token']))
check_permissions(token_data['user'], app.data.driver)
else:
print 'NO TOKEN'
def pre_GET_nodes(request, lookup):
# Only get allowed documents
global_validation()
# print ("Get")
# print ("Owner: {0}".format(g.get('owner_permissions')))
# print ("World: {0}".format(g.get('world_permissions')))
return pre_GET(request, lookup, app.data.driver)
def pre_PUT_nodes(request, lookup):
# Only Update allowed documents
global_validation()
# print ("Put")
# print ("Owner: {0}".format(g.get('owner_permissions')))
# print ("World: {0}".format(g.get('world_permissions')))
return pre_PUT(request, lookup, app.data.driver)
def pre_PATCH_nodes(request):
return pre_PATCH(request, app.data.driver)
def pre_POST_nodes(request):
# global_validation()
# print ("Post")
# print ("World: {0}".format(g.get('world_permissions')))
# print ("Group: {0}".format(g.get('groups_permissions')))
# return pre_POST(request, app.data.driver)
print 'pre posting'
print request
def pre_DELETE_nodes(request, lookup):
# Only Delete allowed documents
global_validation()
# print ("Delete")
# print ("Owner: {0}".format(type_owner_permissions))
# print ("World: {0}".format(type_world_permissions))
# print ("Groups: {0}".format(type_groups_permissions))
return pre_DELETE(request, lookup, app.data.driver)
#app.on_pre_GET_nodes += pre_GET_nodes
app.on_pre_POST_nodes += pre_POST_nodes
# app.on_pre_PATCH_nodes += pre_PATCH_nodes
#app.on_pre_PUT_nodes += pre_PUT_nodes
app.on_pre_DELETE_nodes += pre_DELETE_nodes
def check_permissions(resource, method): def check_permissions(resource, method):
"""Check user permissions to access a node. We look up node permissions from """Check user permissions to access a node. We look up node permissions from
world to groups to users and match them with the computed user permissions. world to groups to users and match them with the computed user permissions.

237
pillar/application/pre_hooks.py
View File

@ -1,237 +0,0 @@
import json
from flask import g
from flask import abort
from flask import request
from bson import ObjectId
# from application import app
def permissions_lookup(action, lookup):
type_world_permissions = g.get('type_world_permissions')
type_owner_permissions = g.get('type_owner_permissions')
node_types = []
# Get all node_types allowed by world:
for perm in type_world_permissions:
if action in type_world_permissions[perm]:
node_types.append(str(perm))
# Get all nodes with node_type allowed by owner if user == owner
owner_lookup = []
for perm in type_owner_permissions:
if action in type_owner_permissions[perm]:
if action not in type_world_permissions[perm]:
# If one of the following is true
# If node_type==node_type and user==user
owner_lookup.append(
{'$and': [{'node_type': str(perm)},
{'user': str(g.get('token_data')['user'])}]})
lookup['$or'] = [{'node_type': {'$in': node_types}}]
if len(owner_lookup) > 0:
lookup['$or'].append({'$or': owner_lookup})
return lookup
def pre_GET(request, lookup, data_driver):
action = 'GET'
if 'token_type' not in lookup and '_id' not in request.view_args:
# Is quering for all nodes (mixed types)
lookup = permissions_lookup(action, lookup)
else:
# Is quering for one specific node
if action not in g.get('world_permissions') and \
action not in g.get('groups_permissions'):
lookup['user'] = g.get('token_data')['user']
# token_data = validate_token()
# validate(token_data['token'])
# lookup["userr"] = "user"
# print ("Lookup")
# print (lookup)
def pre_PUT(request, lookup, data_driver):
action = 'UPDATE'
if 'token_type' not in lookup and '_id' not in request.view_args:
# Is updating all nodes (mixed types)
lookup = permissions_lookup(action, lookup)
else:
# Is updating one specific node
if action not in g.get('world_permissions') and \
action not in g.get('groups_permissions'):
lookup['user'] = g.get('token_data')['user']
# print ("Lookup")
# print (lookup)
def pre_PATCH(request, lookup, data_driver):
print ("Patch")
def pre_POST(request, data_driver):
# Only Post allowed documents
action = 'POST'
#print(g.get('type_groups_permissions'))
print(g.get('groups_permissions'))
print(g.get('world_permissions'))
# Is quering for one specific node
if action not in g.get('world_permissions') and \
action not in g.get('groups_permissions'):
abort(403)
def pre_DELETE(request, lookup, data_driver):
type_world_permissions = g.get('type_world_permissions')
type_owner_permissions = g.get('type_owner_permissions')
type_groups_permissions = g.get('type_groups_permissions')
action = 'DELETE'
if '_id' in lookup:
nodes = data_driver.db['nodes']
dbnode = nodes.find_one({'_id': ObjectId(lookup['_id'])})
# print (dbnode.count())
node_type = str(dbnode['node_type'])
if g.get('token_data')['user'] == dbnode['user']:
owner = True
else:
owner = False
if action not in type_world_permissions[node_type] and \
action not in type_groups_permissions[node_type]:
if action not in type_owner_permissions[node_type]:
print ("Abort1")
abort(403)
else:
if not owner:
print ("Abort2")
abort(403)
else:
print ("Abort3")
abort(403)
def compute_permissions(user, data_driver):
node_type = None
dbnode = None
owner_permissions = []
world_permissions = []
groups_permissions = []
groups = data_driver.db['groups']
users = data_driver.db['users']
# The hardcoded owners group. In this group we define the default permission
# level that the user associated with a node has. These permissions can be
# overridden by custom group and world.
owner_group = groups.find_one({'name': 'owner'})
# The world group is always evaluated, especially when the user is not logged
# in.
world_group = groups.find_one({'name': 'world'})
user_data = users.find_one({'_id': ObjectId(user)})
# If we are requesting a specific node
try:
uuid = request.path.split("/")[2]
nodes = data_driver.db['nodes']
lookup = {'_id': ObjectId(uuid)}
dbnode = nodes.find_one(lookup)
except IndexError:
pass
if dbnode:
# If a node object is found, extract the node_type ObjectID
node_type = str(dbnode['node_type'])
# If we are creating a new node, we get the node_type ObjectID from the request
json_data = None
# TODO(fsiddi): handle creation vs everything else in a more efficient way
try:
json_data = json.loads(request.data)
except ValueError:
pass
if not node_type and json_data:
if 'node_type' in json_data:
node_type = json_data['node_type']
# Extract query lookup
# which node_type is asking for?
# TODO(fsiddi): It's not clear if this code is being used at all
# for arg in request.args:
# if arg == 'where':
# try:
# where = json.loads(request.args[arg])
# except ValueError:
# raise
# if where.get('node_type'):
# node_type = where.get('node_type')
# break
# Get and store permissions for that node_type
type_owner_permissions = {}
type_world_permissions = {}
type_groups_permissions = {}
type_mixed_permissions = {}
for perm in owner_group['permissions']:
# Build the global type_owner_permission dictionary
type_owner_permissions[str(perm['node_type'])] = perm['permissions']
if str(perm['node_type']) == node_type:
# If a node_type ObjectID matches the requested node_type, populate
# the actual owner permissions for the current user
owner_permissions = perm['permissions']
for perm in world_group['permissions']:
# Build the global type_owner_permission dictionary
type_world_permissions[str(perm['node_type'])] = perm['permissions']
if str(perm['node_type']) == node_type:
# If a node_type ObjectID matches the requested node_type, populate
# the actual world permissions in relation to the current user
world_permissions = perm['permissions']
# Adding empty permissions
if str(perm['node_type']) not in type_groups_permissions:
type_groups_permissions[str(perm['node_type'])] = []
# This dictionary will hold the combined permissions. Why?
type_mixed_permissions = type_world_permissions
# Get group ObjectID associated with the requesting user
groups_data = user_data.get('groups')
if groups_data:
for group in groups_data:
group_data = groups.find_one({'_id': ObjectId(group)})
for perm in group_data['permissions']:
# Populate the group permissions. This searches in the
# type_groups_permissions dict, which is generated previously
# using the world permissions. If a world permission is not
# defined for a certain node type, this will fail.
type_groups_permissions[str(perm['node_type'])] += \
perm['permissions']
type_mixed_permissions[str(perm['node_type'])] += \
perm['permissions']
if str(perm['node_type']) == node_type:
groups_permissions = perm['permissions']
return {
'owner_permissions': owner_permissions,
'world_permissions': world_permissions,
'groups_permissions': groups_permissions,
'type_owner_permissions': type_owner_permissions,
'type_world_permissions': type_world_permissions,
'type_groups_permissions': type_groups_permissions,
'type_mixed_permissions': type_mixed_permissions
}
def check_permissions(user, data_driver):
# Entry point should be nodes
entry_point = request.path.split("/")[1]
if entry_point != 'nodes':
return
permissions = compute_permissions(user, data_driver)
# Store permission properties on global
setattr(g, 'owner_permissions', permissions['owner_permissions'])
setattr(g, 'world_permissions', permissions['world_permissions'])
setattr(g, 'groups_permissions', permissions['groups_permissions'])
setattr(g, 'type_owner_permissions', permissions['type_owner_permissions'])
setattr(g, 'type_world_permissions', permissions['type_world_permissions'])
setattr(g, 'type_groups_permissions', permissions['type_groups_permissions'])