Added UserIpMap interface for allowed IP addresses and IP restriction access

ref #264 IP restriction for users and user groups

--HG--
branch : beta
extra : amend_source : b1cad1d9ff6ef50b570689dacec7902a8909895b

4 files changed, 100 insertions, 43 deletions

diff --git a/rhodecode/controllers/admin/permissions.py b/rhodecode/controllers/admin/permissions.py
index bdbaeddd..8acee302 100644
--- a/rhodecode/controllers/admin/permissions.py
+++ b/rhodecode/controllers/admin/permissions.py
@@ -33,11 +33,12 @@ from pylons.controllers.util import abort, redirect
 from pylons.i18n.translation import _
 
 from rhodecode.lib import helpers as h
-from rhodecode.lib.auth import LoginRequired, HasPermissionAllDecorator
+from rhodecode.lib.auth import LoginRequired, HasPermissionAllDecorator,\
+    AuthUser
 from rhodecode.lib.base import BaseController, render
 from rhodecode.model.forms import DefaultPermissionsForm
 from rhodecode.model.permission import PermissionModel
-from rhodecode.model.db import User
+from rhodecode.model.db import User, UserIpMap
 from rhodecode.model.meta import Session
 
 log = logging.getLogger(__name__)
@@ -105,36 +106,41 @@ class PermissionsController(BaseController):
         #    h.form(url('permission', id=ID),
         #           method='put')
         # url('permission', id=ID)
-
-        permission_model = PermissionModel()
-
-        _form = DefaultPermissionsForm([x[0] for x in self.repo_perms_choices],
-                                       [x[0] for x in self.group_perms_choices],
-                                       [x[0] for x in self.register_choices],
-                                       [x[0] for x in self.create_choices],
-                                       [x[0] for x in self.fork_choices])()
-
-        try:
-            form_result = _form.to_python(dict(request.POST))
-            form_result.update({'perm_user_name': id})
-            permission_model.update(form_result)
-            Session().commit()
-            h.flash(_('Default permissions updated successfully'),
-                    category='success')
-
-        except formencode.Invalid, errors:
-            defaults = errors.value
-
-            return htmlfill.render(
-                render('admin/permissions/permissions.html'),
-                defaults=defaults,
-                errors=errors.error_dict or {},
-                prefix_error=False,
-                encoding="UTF-8")
-        except Exception:
-            log.error(traceback.format_exc())
-            h.flash(_('error occurred during update of permissions'),
-                    category='error')
+        if id == 'default':
+            c.user = default_user = User.get_by_username('default')
+            c.perm_user = AuthUser(user_id=default_user.user_id)
+            c.user_ip_map = UserIpMap.query()\
+                            .filter(UserIpMap.user == default_user).all()
+            permission_model = PermissionModel()
+
+            _form = DefaultPermissionsForm(
+                    [x[0] for x in self.repo_perms_choices],
+                    [x[0] for x in self.group_perms_choices],
+                    [x[0] for x in self.register_choices],
+                    [x[0] for x in self.create_choices],
+                    [x[0] for x in self.fork_choices])()
+
+            try:
+                form_result = _form.to_python(dict(request.POST))
+                form_result.update({'perm_user_name': id})
+                permission_model.update(form_result)
+                Session().commit()
+                h.flash(_('Default permissions updated successfully'),
+                        category='success')
+
+            except formencode.Invalid, errors:
+                defaults = errors.value
+
+                return htmlfill.render(
+                    render('admin/permissions/permissions.html'),
+                    defaults=defaults,
+                    errors=errors.error_dict or {},
+                    prefix_error=False,
+                    encoding="UTF-8")
+            except Exception:
+                log.error(traceback.format_exc())
+                h.flash(_('error occurred during update of permissions'),
+                        category='error')
 
         return redirect(url('edit_permission', id=id))
 
@@ -157,10 +163,11 @@ class PermissionsController(BaseController):
 
         #this form can only edit default user permissions
         if id == 'default':
-            default_user = User.get_by_username('default')
-            defaults = {'_method': 'put',
-                        'anonymous': default_user.active}
-
+            c.user = default_user = User.get_by_username('default')
+            defaults = {'anonymous': default_user.active}
+            c.perm_user = AuthUser(user_id=default_user.user_id)
+            c.user_ip_map = UserIpMap.query()\
+                            .filter(UserIpMap.user == default_user).all()
             for p in default_user.user_perms:
                 if p.permission.permission_name.startswith('repository.'):
                     defaults['default_repo_perm'] = p.permission.permission_name
@@ -181,7 +188,7 @@ class PermissionsController(BaseController):
                 render('admin/permissions/permissions.html'),
                 defaults=defaults,
                 encoding="UTF-8",
-                force_defaults=True,
+                force_defaults=False
             )
         else:
             return redirect(url('admin_home'))
diff --git a/rhodecode/controllers/admin/users.py b/rhodecode/controllers/admin/users.py
index e8d222ef..6b815bf4 100644
--- a/rhodecode/controllers/admin/users.py
+++ b/rhodecode/controllers/admin/users.py
@@ -41,7 +41,7 @@ from rhodecode.lib.auth import LoginRequired, HasPermissionAllDecorator, \
     AuthUser
 from rhodecode.lib.base import BaseController, render
 
-from rhodecode.model.db import User, UserEmailMap
+from rhodecode.model.db import User, UserEmailMap, UserIpMap
 from rhodecode.model.forms import UserForm
 from rhodecode.model.user import UserModel
 from rhodecode.model.meta import Session
@@ -159,7 +159,7 @@ class UsersController(BaseController):
         user_model = UserModel()
         c.user = user_model.get(id)
         c.ldap_dn = c.user.ldap_dn
-        c.perm_user = AuthUser(user_id=id)
+        c.perm_user = AuthUser(user_id=id, ip_addr=self.ip_addr)
         _form = UserForm(edit=True, old_data={'user_id': id,
                                               'email': c.user.email})()
         form_result = {}
@@ -178,6 +178,8 @@ class UsersController(BaseController):
         except formencode.Invalid, errors:
             c.user_email_map = UserEmailMap.query()\
                             .filter(UserEmailMap.user == c.user).all()
+            c.user_ip_map = UserIpMap.query()\
+                            .filter(UserIpMap.user == c.user).all()
             defaults = errors.value
             e = errors.error_dict or {}
             defaults.update({
@@ -231,12 +233,14 @@ class UsersController(BaseController):
             h.flash(_("You can't edit this user"), category='warning')
             return redirect(url('users'))
 
-        c.perm_user = AuthUser(user_id=id)
+        c.perm_user = AuthUser(user_id=id, ip_addr=self.ip_addr)
         c.user.permissions = {}
         c.granted_permissions = UserModel().fill_perms(c.user)\
             .permissions['global']
         c.user_email_map = UserEmailMap.query()\
                         .filter(UserEmailMap.user == c.user).all()
+        c.user_ip_map = UserIpMap.query()\
+                        .filter(UserIpMap.user == c.user).all()
         user_model = UserModel()
         c.ldap_dn = c.user.ldap_dn
         defaults = c.user.get_dict()
@@ -299,7 +303,6 @@ class UsersController(BaseController):
         """POST /user_emails:Add an existing item"""
         # url('user_emails', id=ID, method='put')
 
-        #TODO: validation and form !!!
         email = request.POST.get('new_email')
         user_model = UserModel()
 
@@ -324,3 +327,36 @@ class UsersController(BaseController):
         Session().commit()
         h.flash(_("Removed email from user"), category='success')
         return redirect(url('edit_user', id=id))
+
+    def add_ip(self, id):
+        """POST /user_ips:Add an existing item"""
+        # url('user_ips', id=ID, method='put')
+
+        ip = request.POST.get('new_ip')
+        user_model = UserModel()
+
+        try:
+            user_model.add_extra_ip(id, ip)
+            Session().commit()
+            h.flash(_("Added ip %s to user") % ip, category='success')
+        except formencode.Invalid, error:
+            msg = error.error_dict['ip']
+            h.flash(msg, category='error')
+        except Exception:
+            log.error(traceback.format_exc())
+            h.flash(_('An error occurred during ip saving'),
+                    category='error')
+        if 'default_user' in request.POST:
+            return redirect(url('edit_permission', id='default'))
+        return redirect(url('edit_user', id=id))
+
+    def delete_ip(self, id):
+        """DELETE /user_ips_delete/id: Delete an existing item"""
+        # url('user_ips_delete', id=ID, method='delete')
+        user_model = UserModel()
+        user_model.delete_extra_ip(id, request.POST.get('del_ip'))
+        Session().commit()
+        h.flash(_("Removed ip from user"), category='success')
+        if 'default_user' in request.POST:
+            return redirect(url('edit_permission', id='default'))
+        return redirect(url('edit_user', id=id))
diff --git a/rhodecode/controllers/api/__init__.py b/rhodecode/controllers/api/__init__.py
index 13fd7033..01cfe118 100644
--- a/rhodecode/controllers/api/__init__.py
+++ b/rhodecode/controllers/api/__init__.py
@@ -43,7 +43,7 @@ from webob.exc import HTTPNotFound, HTTPForbidden, HTTPInternalServerError, \
 HTTPBadRequest, HTTPError
 
 from rhodecode.model.db import User
-from rhodecode.lib.auth import AuthUser
+from rhodecode.lib.auth import AuthUser, check_ip_access
 from rhodecode.lib.base import _get_ip_addr, _get_access_path
 from rhodecode.lib.utils2 import safe_unicode
 
@@ -99,6 +99,7 @@ class JSONRPCController(WSGIController):
         controller and if it exists, dispatch to it.
         """
         start = time.time()
+        ip_addr = self._get_ip_addr(environ)
         self._req_id = None
         if 'CONTENT_LENGTH' not in environ:
             log.debug("No Content-Length")
@@ -144,7 +145,17 @@ class JSONRPCController(WSGIController):
             if u is None:
                 return jsonrpc_error(retid=self._req_id,
                                      message='Invalid API KEY')
-            auth_u = AuthUser(u.user_id, self._req_api_key)
+            #check if we are allowed to use this IP
+            allowed_ips = AuthUser.get_allowed_ips(u.user_id)
+            if check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips) is False:
+                log.info('Access for IP:%s forbidden, '
+                         'not in %s' % (ip_addr, allowed_ips))
+                return jsonrpc_error(retid=self._req_id,
+                        message='request from IP:%s not allowed' % (ip_addr))
+            else:
+                log.info('Access for IP:%s allowed' % (ip_addr))
+
+            auth_u = AuthUser(u.user_id, self._req_api_key, ip_addr=ip_addr)
         except Exception, e:
             return jsonrpc_error(retid=self._req_id,
                                  message='Invalid API KEY')
diff --git a/rhodecode/controllers/api/api.py b/rhodecode/controllers/api/api.py
index 8a0b2dfe..c3b31c58 100644
--- a/rhodecode/controllers/api/api.py
+++ b/rhodecode/controllers/api/api.py
@@ -140,6 +140,9 @@ class ApiController(JSONRPCController):
     errors that happens
 
     """
+    def _get_ip_addr(self, environ):
+        from rhodecode.lib.base import _get_ip_addr
+        return _get_ip_addr(environ)
 
     @HasPermissionAllDecorator('hg.admin')
     def pull(self, apiuser, repoid):