vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Load flask principal permissions even for web and api endpoints.

Browse source
This commit is contained in:
yackob03 2013-09-26 16:32:09 -04:00
parent 23cbcb2979
commit 9278871381
6 changed files with 33 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
app.py
View file

@ -8,7 +8,7 @@ from flask.ext.login import LoginManager
app = Flask(__name__) app = Flask(__name__)
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
Principal(app, use_sessions=False) Principal(app, use_sessions=True)
app.secret_key = '1cb18882-6d12-440d-a4cc-b7430fb5f884' app.secret_key = '1cb18882-6d12-440d-a4cc-b7430fb5f884'

6
auth/auth.py
View file

@ -41,8 +41,8 @@ def process_basic_auth():
ctx = _request_ctx_stack.top ctx = _request_ctx_stack.top
ctx.authenticated_user = authenticated ctx.authenticated_user = authenticated
identity_changed.send(app, identity=Identity(authenticated.username)) identity_changed.send(app, identity=Identity(authenticated.username,
'username'))
return return
# We weren't able to authenticate via basic auth. # We weren't able to authenticate via basic auth.
@ -85,7 +85,7 @@ def process_token():
ctx = _request_ctx_stack.top ctx = _request_ctx_stack.top
ctx.validated_token = validated ctx.validated_token = validated
identity_changed.send(app, identity=Identity(validated.code)) identity_changed.send(app, identity=Identity(validated.code, 'token'))
return return

27
auth/permissions.py
View file

@ -1,6 +1,7 @@
import logging import logging
from flask.ext.principal import identity_loaded, UserNeed, Permission from flask.ext.principal import identity_loaded, UserNeed, Permission
from flask.ext.login import current_user
from collections import namedtuple from collections import namedtuple
from functools import partial from functools import partial
@ -42,22 +43,30 @@ class UserPermission(Permission):
def on_identity_loaded(sender, identity): def on_identity_loaded(sender, identity):
logger.debug('Identity loaded: %s' % identity) logger.debug('Identity loaded: %s' % identity)
# We have verified an identity, load in all of the permissions # We have verified an identity, load in all of the permissions
if get_authenticated_user():
identity.provides.add(UserNeed(get_authenticated_user().username))
for user in model.get_all_repo_permissions(get_authenticated_user()): if identity.auth_type == 'username':
logger.debug('Computing permissions for user: %s' % identity.id)
user_object = model.get_user(identity.id)
identity.provides.add(UserNeed(user_object.username))
for user in model.get_all_repo_permissions(user_object):
grant = _RepositoryNeed(user.repositorypermission.repository.namespace, grant = _RepositoryNeed(user.repositorypermission.repository.namespace,
user.repositorypermission.repository.name, user.repositorypermission.repository.name,
user.repositorypermission.role.name) user.repositorypermission.role.name)
logger.debug('User added permission: {0}'.format(grant)) logger.debug('User added permission: {0}'.format(grant))
identity.provides.add(grant) identity.provides.add(grant)
if get_validated_token(): elif identity.auth_type == 'token':
query = model.get_user_repo_permissions(get_validated_token().user, logger.debug('Computing permissions for token: %s' % identity.id)
get_validated_token().repository)
token = model.get_token(identity.id)
query = model.get_user_repo_permissions(token.user, token.repository)
for permission in query: for permission in query:
t_grant = _RepositoryNeed(get_validated_token().repository.namespace, t_grant = _RepositoryNeed(token.repository.namespace,
get_validated_token().repository.name, token.repository.name, permission.role.name)
permission.role.name)
logger.debug('Token added permission: {0}'.format(t_grant)) logger.debug('Token added permission: {0}'.format(t_grant))
identity.provides.add(t_grant) identity.provides.add(t_grant)
else:
logger.error('Unknown identity auth type: %s' % identity.auth_type)

4
data/model.py
View file

@ -50,6 +50,10 @@ def verify_token(code, namespace_name, repository_name):
return None return None
def get_token(code):
return AccessToken.get(AccessToken.code == code)
def change_password(user, new_password): def change_password(user, new_password):
pw_hash = bcrypt.hashpw(new_password, bcrypt.gensalt()) pw_hash = bcrypt.hashpw(new_password, bcrypt.gensalt())
user.password_hash = pw_hash user.password_hash = pw_hash

5
endpoints/web.py
View file

@ -2,6 +2,7 @@ import logging
from flask import abort, send_file, redirect, request, url_for from flask import abort, send_file, redirect, request, url_for
from flask.ext.login import login_user, UserMixin from flask.ext.login import login_user, UserMixin
from flask.ext.principal import identity_changed, Identity
from data import model from data import model
from app import app, login_manager from app import app, login_manager
@ -46,6 +47,10 @@ def signin():
logger.debug('Successfully signed in as: %s' % username) logger.debug('Successfully signed in as: %s' % username)
login_user(_LoginWrappedDBUser(verified)) login_user(_LoginWrappedDBUser(verified))
identity_changed.send(app, identity=Identity(verified.username,
'username'))
return redirect(request.args.get('next') or url_for('index')) return redirect(request.args.get('next') or url_for('index'))
abort(403) abort(403)