Removed previous authentication logic
Should not have functional changes.
This commit is contained in:
@@ -19,13 +19,6 @@ from flask import request
|
||||
from flask import url_for
|
||||
from flask import abort
|
||||
|
||||
from pre_hooks import pre_GET
|
||||
from pre_hooks import pre_PUT
|
||||
from pre_hooks import pre_PATCH
|
||||
from pre_hooks import pre_POST
|
||||
from pre_hooks import pre_DELETE
|
||||
# from pre_hooks import check_permissions
|
||||
# from pre_hooks import compute_permissions
|
||||
|
||||
from datetime import datetime
|
||||
from datetime import timedelta
|
||||
@@ -140,59 +133,17 @@ def validate_token():
|
||||
setattr(g, 'current_user', current_user)
|
||||
|
||||
|
||||
class TokensAuth(TokenAuth):
|
||||
def check_auth(self, token, allowed_roles, resource, method):
|
||||
if not token:
|
||||
return False
|
||||
|
||||
validate_token()
|
||||
|
||||
# if dbtoken:
|
||||
# check_permissions(dbtoken['user'])
|
||||
# return True
|
||||
|
||||
# return validation['valid']
|
||||
return True
|
||||
|
||||
|
||||
class BasicsAuth(BasicAuth):
|
||||
def check_auth(self, username, password, allowed_roles, resource, method):
|
||||
# return username == 'admin' and password == 'secret'
|
||||
print username
|
||||
print password
|
||||
return True
|
||||
|
||||
|
||||
class CustomTokenAuth(BasicsAuth):
|
||||
"""Switch between Basic and Token auth"""
|
||||
def __init__(self):
|
||||
self.token_auth = TokensAuth()
|
||||
self.authorized_protected = BasicsAuth.authorized
|
||||
|
||||
def authorized(self, allowed_roles, resource, method):
|
||||
# if resource == 'tokens':
|
||||
if False:
|
||||
return self.authorized_protected(
|
||||
self, allowed_roles, resource, method)
|
||||
else:
|
||||
print 'is auth'
|
||||
return self.token_auth.authorized(allowed_roles, resource, method)
|
||||
|
||||
def authorized_protected(self):
|
||||
pass
|
||||
|
||||
|
||||
class NewAuth(TokenAuth):
|
||||
def check_auth(self, token, allowed_roles, resource, method):
|
||||
if not token:
|
||||
return False
|
||||
else:
|
||||
print '---'
|
||||
print 'validating'
|
||||
print token
|
||||
print resource
|
||||
print method
|
||||
print '---'
|
||||
# print '---'
|
||||
# print 'validating'
|
||||
# print token
|
||||
# print resource
|
||||
# print method
|
||||
# print '---'
|
||||
validate_token()
|
||||
|
||||
return True
|
||||
@@ -273,65 +224,6 @@ client = MongoClient(app.config['MONGO_HOST'], 27017)
|
||||
db = client.eve
|
||||
|
||||
|
||||
def global_validation():
|
||||
token_data = validate_token()
|
||||
if token_data:
|
||||
setattr(g, 'token_data', token_data)
|
||||
#setattr(g, 'validate', validate(token_data['token']))
|
||||
check_permissions(token_data['user'], app.data.driver)
|
||||
else:
|
||||
print 'NO TOKEN'
|
||||
|
||||
|
||||
def pre_GET_nodes(request, lookup):
|
||||
# Only get allowed documents
|
||||
global_validation()
|
||||
# print ("Get")
|
||||
# print ("Owner: {0}".format(g.get('owner_permissions')))
|
||||
# print ("World: {0}".format(g.get('world_permissions')))
|
||||
return pre_GET(request, lookup, app.data.driver)
|
||||
|
||||
|
||||
def pre_PUT_nodes(request, lookup):
|
||||
# Only Update allowed documents
|
||||
global_validation()
|
||||
# print ("Put")
|
||||
# print ("Owner: {0}".format(g.get('owner_permissions')))
|
||||
# print ("World: {0}".format(g.get('world_permissions')))
|
||||
return pre_PUT(request, lookup, app.data.driver)
|
||||
|
||||
|
||||
def pre_PATCH_nodes(request):
|
||||
return pre_PATCH(request, app.data.driver)
|
||||
|
||||
|
||||
def pre_POST_nodes(request):
|
||||
# global_validation()
|
||||
# print ("Post")
|
||||
# print ("World: {0}".format(g.get('world_permissions')))
|
||||
# print ("Group: {0}".format(g.get('groups_permissions')))
|
||||
# return pre_POST(request, app.data.driver)
|
||||
print 'pre posting'
|
||||
print request
|
||||
|
||||
|
||||
def pre_DELETE_nodes(request, lookup):
|
||||
# Only Delete allowed documents
|
||||
global_validation()
|
||||
# print ("Delete")
|
||||
# print ("Owner: {0}".format(type_owner_permissions))
|
||||
# print ("World: {0}".format(type_world_permissions))
|
||||
# print ("Groups: {0}".format(type_groups_permissions))
|
||||
return pre_DELETE(request, lookup, app.data.driver)
|
||||
|
||||
|
||||
#app.on_pre_GET_nodes += pre_GET_nodes
|
||||
app.on_pre_POST_nodes += pre_POST_nodes
|
||||
# app.on_pre_PATCH_nodes += pre_PATCH_nodes
|
||||
#app.on_pre_PUT_nodes += pre_PUT_nodes
|
||||
app.on_pre_DELETE_nodes += pre_DELETE_nodes
|
||||
|
||||
|
||||
def check_permissions(resource, method):
|
||||
"""Check user permissions to access a node. We look up node permissions from
|
||||
world to groups to users and match them with the computed user permissions.
|
||||
|
||||
@@ -1,237 +0,0 @@
|
||||
import json
|
||||
from flask import g
|
||||
from flask import abort
|
||||
from flask import request
|
||||
|
||||
from bson import ObjectId
|
||||
|
||||
# from application import app
|
||||
|
||||
|
||||
def permissions_lookup(action, lookup):
|
||||
type_world_permissions = g.get('type_world_permissions')
|
||||
type_owner_permissions = g.get('type_owner_permissions')
|
||||
node_types = []
|
||||
# Get all node_types allowed by world:
|
||||
for perm in type_world_permissions:
|
||||
if action in type_world_permissions[perm]:
|
||||
node_types.append(str(perm))
|
||||
# Get all nodes with node_type allowed by owner if user == owner
|
||||
owner_lookup = []
|
||||
for perm in type_owner_permissions:
|
||||
if action in type_owner_permissions[perm]:
|
||||
if action not in type_world_permissions[perm]:
|
||||
# If one of the following is true
|
||||
# If node_type==node_type and user==user
|
||||
owner_lookup.append(
|
||||
{'$and': [{'node_type': str(perm)},
|
||||
{'user': str(g.get('token_data')['user'])}]})
|
||||
lookup['$or'] = [{'node_type': {'$in': node_types}}]
|
||||
if len(owner_lookup) > 0:
|
||||
lookup['$or'].append({'$or': owner_lookup})
|
||||
return lookup
|
||||
|
||||
|
||||
def pre_GET(request, lookup, data_driver):
|
||||
action = 'GET'
|
||||
if 'token_type' not in lookup and '_id' not in request.view_args:
|
||||
# Is quering for all nodes (mixed types)
|
||||
lookup = permissions_lookup(action, lookup)
|
||||
else:
|
||||
# Is quering for one specific node
|
||||
if action not in g.get('world_permissions') and \
|
||||
action not in g.get('groups_permissions'):
|
||||
lookup['user'] = g.get('token_data')['user']
|
||||
# token_data = validate_token()
|
||||
# validate(token_data['token'])
|
||||
|
||||
# lookup["userr"] = "user"
|
||||
# print ("Lookup")
|
||||
# print (lookup)
|
||||
|
||||
|
||||
def pre_PUT(request, lookup, data_driver):
|
||||
action = 'UPDATE'
|
||||
if 'token_type' not in lookup and '_id' not in request.view_args:
|
||||
# Is updating all nodes (mixed types)
|
||||
lookup = permissions_lookup(action, lookup)
|
||||
else:
|
||||
# Is updating one specific node
|
||||
if action not in g.get('world_permissions') and \
|
||||
action not in g.get('groups_permissions'):
|
||||
lookup['user'] = g.get('token_data')['user']
|
||||
|
||||
# print ("Lookup")
|
||||
# print (lookup)
|
||||
|
||||
|
||||
def pre_PATCH(request, lookup, data_driver):
|
||||
print ("Patch")
|
||||
|
||||
|
||||
def pre_POST(request, data_driver):
|
||||
# Only Post allowed documents
|
||||
action = 'POST'
|
||||
#print(g.get('type_groups_permissions'))
|
||||
print(g.get('groups_permissions'))
|
||||
print(g.get('world_permissions'))
|
||||
# Is quering for one specific node
|
||||
if action not in g.get('world_permissions') and \
|
||||
action not in g.get('groups_permissions'):
|
||||
abort(403)
|
||||
|
||||
|
||||
def pre_DELETE(request, lookup, data_driver):
|
||||
type_world_permissions = g.get('type_world_permissions')
|
||||
type_owner_permissions = g.get('type_owner_permissions')
|
||||
type_groups_permissions = g.get('type_groups_permissions')
|
||||
action = 'DELETE'
|
||||
|
||||
if '_id' in lookup:
|
||||
nodes = data_driver.db['nodes']
|
||||
dbnode = nodes.find_one({'_id': ObjectId(lookup['_id'])})
|
||||
# print (dbnode.count())
|
||||
node_type = str(dbnode['node_type'])
|
||||
if g.get('token_data')['user'] == dbnode['user']:
|
||||
owner = True
|
||||
else:
|
||||
owner = False
|
||||
if action not in type_world_permissions[node_type] and \
|
||||
action not in type_groups_permissions[node_type]:
|
||||
if action not in type_owner_permissions[node_type]:
|
||||
print ("Abort1")
|
||||
abort(403)
|
||||
else:
|
||||
if not owner:
|
||||
print ("Abort2")
|
||||
abort(403)
|
||||
else:
|
||||
print ("Abort3")
|
||||
abort(403)
|
||||
|
||||
|
||||
def compute_permissions(user, data_driver):
|
||||
node_type = None
|
||||
dbnode = None
|
||||
owner_permissions = []
|
||||
world_permissions = []
|
||||
groups_permissions = []
|
||||
groups = data_driver.db['groups']
|
||||
users = data_driver.db['users']
|
||||
# The hardcoded owners group. In this group we define the default permission
|
||||
# level that the user associated with a node has. These permissions can be
|
||||
# overridden by custom group and world.
|
||||
owner_group = groups.find_one({'name': 'owner'})
|
||||
# The world group is always evaluated, especially when the user is not logged
|
||||
# in.
|
||||
world_group = groups.find_one({'name': 'world'})
|
||||
user_data = users.find_one({'_id': ObjectId(user)})
|
||||
# If we are requesting a specific node
|
||||
try:
|
||||
uuid = request.path.split("/")[2]
|
||||
nodes = data_driver.db['nodes']
|
||||
lookup = {'_id': ObjectId(uuid)}
|
||||
dbnode = nodes.find_one(lookup)
|
||||
except IndexError:
|
||||
pass
|
||||
if dbnode:
|
||||
# If a node object is found, extract the node_type ObjectID
|
||||
node_type = str(dbnode['node_type'])
|
||||
|
||||
# If we are creating a new node, we get the node_type ObjectID from the request
|
||||
json_data = None
|
||||
# TODO(fsiddi): handle creation vs everything else in a more efficient way
|
||||
try:
|
||||
json_data = json.loads(request.data)
|
||||
except ValueError:
|
||||
pass
|
||||
if not node_type and json_data:
|
||||
if 'node_type' in json_data:
|
||||
node_type = json_data['node_type']
|
||||
|
||||
# Extract query lookup
|
||||
# which node_type is asking for?
|
||||
# TODO(fsiddi): It's not clear if this code is being used at all
|
||||
|
||||
# for arg in request.args:
|
||||
# if arg == 'where':
|
||||
# try:
|
||||
# where = json.loads(request.args[arg])
|
||||
# except ValueError:
|
||||
# raise
|
||||
# if where.get('node_type'):
|
||||
# node_type = where.get('node_type')
|
||||
# break
|
||||
|
||||
# Get and store permissions for that node_type
|
||||
type_owner_permissions = {}
|
||||
type_world_permissions = {}
|
||||
type_groups_permissions = {}
|
||||
type_mixed_permissions = {}
|
||||
|
||||
for perm in owner_group['permissions']:
|
||||
# Build the global type_owner_permission dictionary
|
||||
type_owner_permissions[str(perm['node_type'])] = perm['permissions']
|
||||
if str(perm['node_type']) == node_type:
|
||||
# If a node_type ObjectID matches the requested node_type, populate
|
||||
# the actual owner permissions for the current user
|
||||
owner_permissions = perm['permissions']
|
||||
|
||||
for perm in world_group['permissions']:
|
||||
# Build the global type_owner_permission dictionary
|
||||
type_world_permissions[str(perm['node_type'])] = perm['permissions']
|
||||
if str(perm['node_type']) == node_type:
|
||||
# If a node_type ObjectID matches the requested node_type, populate
|
||||
# the actual world permissions in relation to the current user
|
||||
world_permissions = perm['permissions']
|
||||
|
||||
# Adding empty permissions
|
||||
if str(perm['node_type']) not in type_groups_permissions:
|
||||
type_groups_permissions[str(perm['node_type'])] = []
|
||||
|
||||
# This dictionary will hold the combined permissions. Why?
|
||||
type_mixed_permissions = type_world_permissions
|
||||
|
||||
# Get group ObjectID associated with the requesting user
|
||||
groups_data = user_data.get('groups')
|
||||
if groups_data:
|
||||
for group in groups_data:
|
||||
group_data = groups.find_one({'_id': ObjectId(group)})
|
||||
for perm in group_data['permissions']:
|
||||
# Populate the group permissions. This searches in the
|
||||
# type_groups_permissions dict, which is generated previously
|
||||
# using the world permissions. If a world permission is not
|
||||
# defined for a certain node type, this will fail.
|
||||
type_groups_permissions[str(perm['node_type'])] += \
|
||||
perm['permissions']
|
||||
type_mixed_permissions[str(perm['node_type'])] += \
|
||||
perm['permissions']
|
||||
if str(perm['node_type']) == node_type:
|
||||
groups_permissions = perm['permissions']
|
||||
|
||||
return {
|
||||
'owner_permissions': owner_permissions,
|
||||
'world_permissions': world_permissions,
|
||||
'groups_permissions': groups_permissions,
|
||||
'type_owner_permissions': type_owner_permissions,
|
||||
'type_world_permissions': type_world_permissions,
|
||||
'type_groups_permissions': type_groups_permissions,
|
||||
'type_mixed_permissions': type_mixed_permissions
|
||||
}
|
||||
|
||||
|
||||
def check_permissions(user, data_driver):
|
||||
# Entry point should be nodes
|
||||
entry_point = request.path.split("/")[1]
|
||||
if entry_point != 'nodes':
|
||||
return
|
||||
|
||||
permissions = compute_permissions(user, data_driver)
|
||||
|
||||
# Store permission properties on global
|
||||
setattr(g, 'owner_permissions', permissions['owner_permissions'])
|
||||
setattr(g, 'world_permissions', permissions['world_permissions'])
|
||||
setattr(g, 'groups_permissions', permissions['groups_permissions'])
|
||||
setattr(g, 'type_owner_permissions', permissions['type_owner_permissions'])
|
||||
setattr(g, 'type_world_permissions', permissions['type_world_permissions'])
|
||||
setattr(g, 'type_groups_permissions', permissions['type_groups_permissions'])
|
||||
Reference in New Issue
Block a user