diff options
author | Marcin Kuzminski <marcin@python-works.com> | 2012-12-30 23:06:03 +0100 |
---|---|---|
committer | Marcin Kuzminski <marcin@python-works.com> | 2012-12-30 23:06:03 +0100 |
commit | b8e1df75b21aad11a161aa3930eb7f26c1c45770 (patch) | |
tree | fcc9b54514288e334d5cf135ecb0e28fb12053bb /rhodecode/controllers | |
parent | 41981be79eefe651870aab3138d143296a4205a2 (diff) |
Added UserIpMap interface for allowed IP addresses and IP restriction access
ref #264 IP restriction for users and user groups
--HG--
branch : beta
extra : amend_source : b1cad1d9ff6ef50b570689dacec7902a8909895b
Diffstat (limited to 'rhodecode/controllers')
-rw-r--r-- | rhodecode/controllers/admin/permissions.py | 81 | ||||
-rw-r--r-- | rhodecode/controllers/admin/users.py | 44 | ||||
-rw-r--r-- | rhodecode/controllers/api/__init__.py | 15 | ||||
-rw-r--r-- | rhodecode/controllers/api/api.py | 3 |
4 files changed, 100 insertions, 43 deletions
diff --git a/rhodecode/controllers/admin/permissions.py b/rhodecode/controllers/admin/permissions.py index bdbaeddd..8acee302 100644 --- a/rhodecode/controllers/admin/permissions.py +++ b/rhodecode/controllers/admin/permissions.py @@ -33,11 +33,12 @@ from pylons.controllers.util import abort, redirect from pylons.i18n.translation import _ from rhodecode.lib import helpers as h -from rhodecode.lib.auth import LoginRequired, HasPermissionAllDecorator +from rhodecode.lib.auth import LoginRequired, HasPermissionAllDecorator,\ + AuthUser from rhodecode.lib.base import BaseController, render from rhodecode.model.forms import DefaultPermissionsForm from rhodecode.model.permission import PermissionModel -from rhodecode.model.db import User +from rhodecode.model.db import User, UserIpMap from rhodecode.model.meta import Session log = logging.getLogger(__name__) @@ -105,36 +106,41 @@ class PermissionsController(BaseController): # h.form(url('permission', id=ID), # method='put') # url('permission', id=ID) - - permission_model = PermissionModel() - - _form = DefaultPermissionsForm([x[0] for x in self.repo_perms_choices], - [x[0] for x in self.group_perms_choices], - [x[0] for x in self.register_choices], - [x[0] for x in self.create_choices], - [x[0] for x in self.fork_choices])() - - try: - form_result = _form.to_python(dict(request.POST)) - form_result.update({'perm_user_name': id}) - permission_model.update(form_result) - Session().commit() - h.flash(_('Default permissions updated successfully'), - category='success') - - except formencode.Invalid, errors: - defaults = errors.value - - return htmlfill.render( - render('admin/permissions/permissions.html'), - defaults=defaults, - errors=errors.error_dict or {}, - prefix_error=False, - encoding="UTF-8") - except Exception: - log.error(traceback.format_exc()) - h.flash(_('error occurred during update of permissions'), - category='error') + if id == 'default': + c.user = default_user = User.get_by_username('default') + c.perm_user = AuthUser(user_id=default_user.user_id) + c.user_ip_map = UserIpMap.query()\ + .filter(UserIpMap.user == default_user).all() + permission_model = PermissionModel() + + _form = DefaultPermissionsForm( + [x[0] for x in self.repo_perms_choices], + [x[0] for x in self.group_perms_choices], + [x[0] for x in self.register_choices], + [x[0] for x in self.create_choices], + [x[0] for x in self.fork_choices])() + + try: + form_result = _form.to_python(dict(request.POST)) + form_result.update({'perm_user_name': id}) + permission_model.update(form_result) + Session().commit() + h.flash(_('Default permissions updated successfully'), + category='success') + + except formencode.Invalid, errors: + defaults = errors.value + + return htmlfill.render( + render('admin/permissions/permissions.html'), + defaults=defaults, + errors=errors.error_dict or {}, + prefix_error=False, + encoding="UTF-8") + except Exception: + log.error(traceback.format_exc()) + h.flash(_('error occurred during update of permissions'), + category='error') return redirect(url('edit_permission', id=id)) @@ -157,10 +163,11 @@ class PermissionsController(BaseController): #this form can only edit default user permissions if id == 'default': - default_user = User.get_by_username('default') - defaults = {'_method': 'put', - 'anonymous': default_user.active} - + c.user = default_user = User.get_by_username('default') + defaults = {'anonymous': default_user.active} + c.perm_user = AuthUser(user_id=default_user.user_id) + c.user_ip_map = UserIpMap.query()\ + .filter(UserIpMap.user == default_user).all() for p in default_user.user_perms: if p.permission.permission_name.startswith('repository.'): defaults['default_repo_perm'] = p.permission.permission_name @@ -181,7 +188,7 @@ class PermissionsController(BaseController): render('admin/permissions/permissions.html'), defaults=defaults, encoding="UTF-8", - force_defaults=True, + force_defaults=False ) else: return redirect(url('admin_home')) diff --git a/rhodecode/controllers/admin/users.py b/rhodecode/controllers/admin/users.py index e8d222ef..6b815bf4 100644 --- a/rhodecode/controllers/admin/users.py +++ b/rhodecode/controllers/admin/users.py @@ -41,7 +41,7 @@ from rhodecode.lib.auth import LoginRequired, HasPermissionAllDecorator, \ AuthUser from rhodecode.lib.base import BaseController, render -from rhodecode.model.db import User, UserEmailMap +from rhodecode.model.db import User, UserEmailMap, UserIpMap from rhodecode.model.forms import UserForm from rhodecode.model.user import UserModel from rhodecode.model.meta import Session @@ -159,7 +159,7 @@ class UsersController(BaseController): user_model = UserModel() c.user = user_model.get(id) c.ldap_dn = c.user.ldap_dn - c.perm_user = AuthUser(user_id=id) + c.perm_user = AuthUser(user_id=id, ip_addr=self.ip_addr) _form = UserForm(edit=True, old_data={'user_id': id, 'email': c.user.email})() form_result = {} @@ -178,6 +178,8 @@ class UsersController(BaseController): except formencode.Invalid, errors: c.user_email_map = UserEmailMap.query()\ .filter(UserEmailMap.user == c.user).all() + c.user_ip_map = UserIpMap.query()\ + .filter(UserIpMap.user == c.user).all() defaults = errors.value e = errors.error_dict or {} defaults.update({ @@ -231,12 +233,14 @@ class UsersController(BaseController): h.flash(_("You can't edit this user"), category='warning') return redirect(url('users')) - c.perm_user = AuthUser(user_id=id) + c.perm_user = AuthUser(user_id=id, ip_addr=self.ip_addr) c.user.permissions = {} c.granted_permissions = UserModel().fill_perms(c.user)\ .permissions['global'] c.user_email_map = UserEmailMap.query()\ .filter(UserEmailMap.user == c.user).all() + c.user_ip_map = UserIpMap.query()\ + .filter(UserIpMap.user == c.user).all() user_model = UserModel() c.ldap_dn = c.user.ldap_dn defaults = c.user.get_dict() @@ -299,7 +303,6 @@ class UsersController(BaseController): """POST /user_emails:Add an existing item""" # url('user_emails', id=ID, method='put') - #TODO: validation and form !!! email = request.POST.get('new_email') user_model = UserModel() @@ -324,3 +327,36 @@ class UsersController(BaseController): Session().commit() h.flash(_("Removed email from user"), category='success') return redirect(url('edit_user', id=id)) + + def add_ip(self, id): + """POST /user_ips:Add an existing item""" + # url('user_ips', id=ID, method='put') + + ip = request.POST.get('new_ip') + user_model = UserModel() + + try: + user_model.add_extra_ip(id, ip) + Session().commit() + h.flash(_("Added ip %s to user") % ip, category='success') + except formencode.Invalid, error: + msg = error.error_dict['ip'] + h.flash(msg, category='error') + except Exception: + log.error(traceback.format_exc()) + h.flash(_('An error occurred during ip saving'), + category='error') + if 'default_user' in request.POST: + return redirect(url('edit_permission', id='default')) + return redirect(url('edit_user', id=id)) + + def delete_ip(self, id): + """DELETE /user_ips_delete/id: Delete an existing item""" + # url('user_ips_delete', id=ID, method='delete') + user_model = UserModel() + user_model.delete_extra_ip(id, request.POST.get('del_ip')) + Session().commit() + h.flash(_("Removed ip from user"), category='success') + if 'default_user' in request.POST: + return redirect(url('edit_permission', id='default')) + return redirect(url('edit_user', id=id)) diff --git a/rhodecode/controllers/api/__init__.py b/rhodecode/controllers/api/__init__.py index 13fd7033..01cfe118 100644 --- a/rhodecode/controllers/api/__init__.py +++ b/rhodecode/controllers/api/__init__.py @@ -43,7 +43,7 @@ from webob.exc import HTTPNotFound, HTTPForbidden, HTTPInternalServerError, \ HTTPBadRequest, HTTPError from rhodecode.model.db import User -from rhodecode.lib.auth import AuthUser +from rhodecode.lib.auth import AuthUser, check_ip_access from rhodecode.lib.base import _get_ip_addr, _get_access_path from rhodecode.lib.utils2 import safe_unicode @@ -99,6 +99,7 @@ class JSONRPCController(WSGIController): controller and if it exists, dispatch to it. """ start = time.time() + ip_addr = self._get_ip_addr(environ) self._req_id = None if 'CONTENT_LENGTH' not in environ: log.debug("No Content-Length") @@ -144,7 +145,17 @@ class JSONRPCController(WSGIController): if u is None: return jsonrpc_error(retid=self._req_id, message='Invalid API KEY') - auth_u = AuthUser(u.user_id, self._req_api_key) + #check if we are allowed to use this IP + allowed_ips = AuthUser.get_allowed_ips(u.user_id) + if check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips) is False: + log.info('Access for IP:%s forbidden, ' + 'not in %s' % (ip_addr, allowed_ips)) + return jsonrpc_error(retid=self._req_id, + message='request from IP:%s not allowed' % (ip_addr)) + else: + log.info('Access for IP:%s allowed' % (ip_addr)) + + auth_u = AuthUser(u.user_id, self._req_api_key, ip_addr=ip_addr) except Exception, e: return jsonrpc_error(retid=self._req_id, message='Invalid API KEY') diff --git a/rhodecode/controllers/api/api.py b/rhodecode/controllers/api/api.py index 8a0b2dfe..c3b31c58 100644 --- a/rhodecode/controllers/api/api.py +++ b/rhodecode/controllers/api/api.py @@ -140,6 +140,9 @@ class ApiController(JSONRPCController): errors that happens """ + def _get_ip_addr(self, environ): + from rhodecode.lib.base import _get_ip_addr + return _get_ip_addr(environ) @HasPermissionAllDecorator('hg.admin') def pull(self, apiuser, repoid): |