client_views.py 3.17 KB
Newer Older
1
2

import logging
3
import re
4
5
from django.http import HttpResponse
from django.contrib.auth import authenticate
6
from ...models import User, RabbitMQInstance
7
8
9

LOGGER = logging.getLogger(__name__)

10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

def _check_vhost(request):
    if 'vhost' in request.POST and request.POST['vhost'] == RabbitMQInstance.load().vhost:
        return True
    LOGGER.error('illegal vhost requested')
    return False

def _check_permission(request):
    if 'permission' in request.POST and request.POST['permission'] != 'write':
        return True
    LOGGER.error('illegal permission requested')
    return False

def _get_user(request):
    if 'username' in request.POST:
        return User.objects.filter(user_type='apiclient').get(username=request.POST['username'])
    return None

# client authentication for RabbitMQ
29
30
31
32
33
34
35
36
37
38
def user_endpoint(request):
    if 'username' in request.POST and 'password' in request.POST:
        username = request.POST['username']
        password = request.POST['password']
        user = authenticate(username=username, password=password)
        if user:
            LOGGER.info('Authenticated client as %s', user)

            if user.is_superuser:
                return HttpResponse("allow administrator")
39
40

            return HttpResponse("allow management")
41
42
43
44

    LOGGER.error('Failed to authenticate user for RabbitMQ')
    return HttpResponse("deny")

45
46

# client authorization checks for RabbitMQ
47
def vhost(request):
48
49
50
51
52
53
    # check if on the correct virtual host
    if _check_vhost(request):
        return HttpResponse("allow")

    LOGGER.error('Authorization check for vhost failed for %s', request.POST)
    return HttpResponse("deny")
54
55

def resource(request):
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
    if _check_vhost(request):

        if 'resource' in request.POST and 'name' in request.POST:
            if request.POST['resource'] == 'queue':
                # the temporary queue a client binds to our exchange
                if request.POST['name'].startswith('amq.gen-'):
                    return HttpResponse('allow')
            elif request.POST['resource'] == 'exchange' and _check_permission(request):
                # our exchange
                if request.POST['name'] == RabbitMQInstance.load().exchange:
                    return HttpResponse('allow')
            elif request.POST['resource'] == 'topic' and _check_permission(request):
                pass

    LOGGER.error('Authorization check for resource failed for %s', request.POST)
    return HttpResponse("deny")

73
74

def topic(request):
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
    # check if on the correct virtual host
    if _check_vhost(request) and _check_permission(request):
        user = _get_user(request)
        if user:
            if 'routing_key' in request.POST:
                routing_key = request.POST['routing_key']
                if routing_key.startswith('service.'):
                    m = re.search('service.(.+)', routing_key)
                    if m:
                        service_name = m.group(1)
                        for service in user.site.services.all():
                            if service_name == service.name:
                                return HttpResponse('allow')
    LOGGER.error('Authorization check for topic failed for %s', request.POST)
    return HttpResponse('deny')