Commit 17708a9e authored by Lukas Burgey's avatar Lukas Burgey
Browse files

Rework client auth checks

parent 81745713
......@@ -139,80 +139,84 @@ def _resource_authorized_apiclient(request):
and not 'write' in permission
)
def resource_endpoint(request):
resource = request.POST.get('resource')
name = request.POST.get('name', '')
def resource_auth_decision(request, decision):
user = request.POST.get('username')
permission = request.POST.get('permission', [])
resource = request.POST.get('resource', '')
name = request.POST.get('name', '')
if decision == ALLOW:
LOGGER.debug(
"[resource] ALLOW %s %s '%s' for %s",
permission,
resource,
name,
user,
)
else:
LOGGER.error(
"[recource] DENY %s %s '%s' for %s",
permission,
resource,
name,
user,
)
return decision
def resource_endpoint(request):
if _valid_vhost(request):
if (
_webpage_client_userid(request)
and _resource_authorized_webpage_client(request)
):
if CLIENT_DEBUGGING:
LOGGER.debug(
'[auth:resource_endpoint] Granted %s access to resource %s %s to client',
permission,
resource,
name,
)
return ALLOW
return resource_auth_decision(request, ALLOW)
if (
_apiclient_valid(request)
and _resource_authorized_apiclient(request)
):
if CLIENT_DEBUGGING:
LOGGER.debug(
'[auth:resource_endpoint] Granted %s access to resource %s %s to client',
permission,
resource,
name,
)
return ALLOW
return resource_auth_decision(request, ALLOW)
LOGGER.error(
'[auth:resource_endpoint] check of %s %s (%s) for client failed',
resource,
name,
permission,
)
return DENY
return resource_auth_decision(request, DENY)
def topic_endpoint_webpageclient(request, webpage_client_userid):
def topic_auth_decision(request, decision):
user = request.POST.get('username')
permission = request.POST.get('permission', [])
resource = request.POST.get('resource', '')
name = request.POST.get('name', '')
routing_key = request.POST.get('routing_key', '')
try:
models.User.objects.get(id=webpage_client_userid)
if not 'write' in permission:
if CLIENT_DEBUGGING:
LOGGER.debug(
'[auth:topic_endpoint] Granted %s access to %s %s to client',
permission,
resource,
routing_key,
)
return ALLOW
LOGGER.error(
'[auth:topic_endpoint_webpageclient] Auth check for resource %s %s %s for client failed: write permission requested',
if decision == ALLOW:
LOGGER.debug(
"[topic] ALLOW %s %s %s '%s' for %s",
permission,
resource,
name,
routing_key,
user,
)
return DENY
except models.User.DoesNotExist:
else:
LOGGER.error(
'[auth:topic_endpoint_webpageclient] Auth check for resource %s %s %s for client failed',
"[topic] DENY %s %s %s '%s' for %s",
permission,
resource,
name,
routing_key,
user,
)
return DENY
return decision
def topic_endpoint_webpageclient(request, webpage_client_userid):
permission = request.POST.get('permission', [])
try:
models.User.objects.get(id=webpage_client_userid)
if not 'write' in permission:
return topic_auth_decision(request, ALLOW)
return topic_auth_decision(request, DENY)
except models.User.DoesNotExist:
return topic_auth_decision(request, DENY)
def topic_endpoint_apiclient(request, apiclient):
name = request.POST.get('name', '')
......@@ -227,13 +231,9 @@ def topic_endpoint_apiclient(request, apiclient):
return ALLOW
elif name == 'sites':
if routing_key == apiclient.site.name:
return ALLOW
else:
LOGGER.error(
'[auth:topic_endpoint] Client of site %s tried to access site %s',
apiclient.site,
routing_key,
)
return topic_auth_decision(request, ALLOW)
return topic_auth_decision(request, DENY)
elif name == 'groups':
try:
group = Group.objects.get(name=routing_key)
......@@ -243,22 +243,18 @@ def topic_endpoint_apiclient(request, apiclient):
services__groups=group,
client=apiclient,
)
return ALLOW
return topic_auth_decision(request, ALLOW)
except models.Site.MultipleObjectsReturned:
return ALLOW
return topic_auth_decision(request, ALLOW)
except models.Site.DoesNotExist:
return DENY
return topic_auth_decision(request, DENY)
except Group.DoesNotExist:
return DENY
return topic_auth_decision(request, DENY)
LOGGER.error(
'[auth:topic_endpoint_apiclient] Authorization check for topic failed for %s',
request.POST,
)
return DENY
return topic_auth_decision(request, DENY)
def topic_endpoint(request):
if not _valid_vhost(request) or not _valid_permission(request):
......@@ -272,6 +268,4 @@ def topic_endpoint(request):
if apiclient:
return topic_endpoint_apiclient(request, apiclient)
LOGGER.error('[auth:topic_endpoint] Authorization check for topic failed for %s', request.POST)
return DENY
return topic_auth_decision(request, DENY)
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment