From 927887138167e330f9cfea34f8c7d680fa520677 Mon Sep 17 00:00:00 2001 From: yackob03 Date: Thu, 26 Sep 2013 16:32:09 -0400 Subject: [PATCH] Load flask principal permissions even for web and api endpoints. --- app.py | 2 +- auth/auth.py | 8 ++++---- auth/permissions.py | 27 ++++++++++++++++++--------- data/model.py | 4 ++++ endpoints/registry.py | 2 +- endpoints/web.py | 5 +++++ 6 files changed, 33 insertions(+), 15 deletions(-) diff --git a/app.py b/app.py index e6b009e1a..3f72d3cd0 100644 --- a/app.py +++ b/app.py @@ -8,7 +8,7 @@ from flask.ext.login import LoginManager app = Flask(__name__) logger = logging.getLogger(__name__) -Principal(app, use_sessions=False) +Principal(app, use_sessions=True) app.secret_key = '1cb18882-6d12-440d-a4cc-b7430fb5f884' diff --git a/auth/auth.py b/auth/auth.py index 08cc6986b..d0a947d05 100644 --- a/auth/auth.py +++ b/auth/auth.py @@ -41,8 +41,8 @@ def process_basic_auth(): ctx = _request_ctx_stack.top ctx.authenticated_user = authenticated - identity_changed.send(app, identity=Identity(authenticated.username)) - + identity_changed.send(app, identity=Identity(authenticated.username, + 'username')) return # We weren't able to authenticate via basic auth. @@ -85,7 +85,7 @@ def process_token(): ctx = _request_ctx_stack.top ctx.validated_token = validated - identity_changed.send(app, identity=Identity(validated.code)) + identity_changed.send(app, identity=Identity(validated.code, 'token')) return @@ -111,4 +111,4 @@ def extract_namespace_repo_from_session(f): abort(400) return f(session['namespace'], session['repository'], *args, **kwargs) - return wrapper \ No newline at end of file + return wrapper diff --git a/auth/permissions.py b/auth/permissions.py index f0e4c6f82..ab168f063 100644 --- a/auth/permissions.py +++ b/auth/permissions.py @@ -1,6 +1,7 @@ import logging from flask.ext.principal import identity_loaded, UserNeed, Permission +from flask.ext.login import current_user from collections import namedtuple from functools import partial @@ -42,22 +43,30 @@ class UserPermission(Permission): def on_identity_loaded(sender, identity): logger.debug('Identity loaded: %s' % identity) # We have verified an identity, load in all of the permissions - if get_authenticated_user(): - identity.provides.add(UserNeed(get_authenticated_user().username)) - for user in model.get_all_repo_permissions(get_authenticated_user()): + if identity.auth_type == 'username': + logger.debug('Computing permissions for user: %s' % identity.id) + + user_object = model.get_user(identity.id) + + identity.provides.add(UserNeed(user_object.username)) + for user in model.get_all_repo_permissions(user_object): grant = _RepositoryNeed(user.repositorypermission.repository.namespace, user.repositorypermission.repository.name, user.repositorypermission.role.name) logger.debug('User added permission: {0}'.format(grant)) identity.provides.add(grant) - if get_validated_token(): - query = model.get_user_repo_permissions(get_validated_token().user, - get_validated_token().repository) + elif identity.auth_type == 'token': + logger.debug('Computing permissions for token: %s' % identity.id) + + token = model.get_token(identity.id) + query = model.get_user_repo_permissions(token.user, token.repository) for permission in query: - t_grant = _RepositoryNeed(get_validated_token().repository.namespace, - get_validated_token().repository.name, - permission.role.name) + t_grant = _RepositoryNeed(token.repository.namespace, + token.repository.name, permission.role.name) logger.debug('Token added permission: {0}'.format(t_grant)) identity.provides.add(t_grant) + + else: + logger.error('Unknown identity auth type: %s' % identity.auth_type) diff --git a/data/model.py b/data/model.py index 6cae25da5..cfaaec44e 100644 --- a/data/model.py +++ b/data/model.py @@ -50,6 +50,10 @@ def verify_token(code, namespace_name, repository_name): return None +def get_token(code): + return AccessToken.get(AccessToken.code == code) + + def change_password(user, new_password): pw_hash = bcrypt.hashpw(new_password, bcrypt.gensalt()) user.password_hash = pw_hash diff --git a/endpoints/registry.py b/endpoints/registry.py index 0c8ad4c1a..7dfb74667 100644 --- a/endpoints/registry.py +++ b/endpoints/registry.py @@ -219,7 +219,7 @@ def get_image_ancestry(namespace, repository, image_id, headers): image_id)) except IOError: abort(404) #'Image not found', 404) - response = make_response(json.dumps(json.loads(data)), 200) + response = make_response(json.dumps(json.loads(data)), 200) response.headers.extend(headers) return response diff --git a/endpoints/web.py b/endpoints/web.py index 887bb2002..2eeecf94c 100644 --- a/endpoints/web.py +++ b/endpoints/web.py @@ -2,6 +2,7 @@ import logging from flask import abort, send_file, redirect, request, url_for from flask.ext.login import login_user, UserMixin +from flask.ext.principal import identity_changed, Identity from data import model from app import app, login_manager @@ -46,6 +47,10 @@ def signin(): logger.debug('Successfully signed in as: %s' % username) login_user(_LoginWrappedDBUser(verified)) + + identity_changed.send(app, identity=Identity(verified.username, + 'username')) + return redirect(request.args.get('next') or url_for('index')) abort(403)