Commit 17708a9e authored by Lukas Burgey's avatar Lukas Burgey
Browse files

Rework client auth checks

parent 81745713
...@@ -139,80 +139,84 @@ def _resource_authorized_apiclient(request): ...@@ -139,80 +139,84 @@ def _resource_authorized_apiclient(request):
and not 'write' in permission and not 'write' in permission
) )
def resource_endpoint(request): def resource_auth_decision(request, decision):
resource = request.POST.get('resource') user = request.POST.get('username')
name = request.POST.get('name', '')
permission = request.POST.get('permission', []) permission = request.POST.get('permission', [])
resource = request.POST.get('resource', '')
name = request.POST.get('name', '')
if decision == ALLOW:
LOGGER.debug(
"[resource] ALLOW %s %s '%s' for %s",
permission,
resource,
name,
user,
)
else:
LOGGER.error(
"[recource] DENY %s %s '%s' for %s",
permission,
resource,
name,
user,
)
return decision
def resource_endpoint(request):
if _valid_vhost(request): if _valid_vhost(request):
if ( if (
_webpage_client_userid(request) _webpage_client_userid(request)
and _resource_authorized_webpage_client(request) and _resource_authorized_webpage_client(request)
): ):
if CLIENT_DEBUGGING: return resource_auth_decision(request, ALLOW)
LOGGER.debug(
'[auth:resource_endpoint] Granted %s access to resource %s %s to client',
permission,
resource,
name,
)
return ALLOW
if ( if (
_apiclient_valid(request) _apiclient_valid(request)
and _resource_authorized_apiclient(request) and _resource_authorized_apiclient(request)
): ):
if CLIENT_DEBUGGING: return resource_auth_decision(request, ALLOW)
LOGGER.debug(
'[auth:resource_endpoint] Granted %s access to resource %s %s to client',
permission,
resource,
name,
)
return ALLOW
LOGGER.error( return resource_auth_decision(request, DENY)
'[auth:resource_endpoint] check of %s %s (%s) for client failed',
resource,
name,
permission,
)
return DENY
def topic_endpoint_webpageclient(request, webpage_client_userid): def topic_auth_decision(request, decision):
user = request.POST.get('username')
permission = request.POST.get('permission', []) permission = request.POST.get('permission', [])
resource = request.POST.get('resource', '') resource = request.POST.get('resource', '')
name = request.POST.get('name', '') name = request.POST.get('name', '')
routing_key = request.POST.get('routing_key', '') routing_key = request.POST.get('routing_key', '')
try: if decision == ALLOW:
models.User.objects.get(id=webpage_client_userid) LOGGER.debug(
"[topic] ALLOW %s %s %s '%s' for %s",
if not 'write' in permission: permission,
if CLIENT_DEBUGGING:
LOGGER.debug(
'[auth:topic_endpoint] Granted %s access to %s %s to client',
permission,
resource,
routing_key,
)
return ALLOW
LOGGER.error(
'[auth:topic_endpoint_webpageclient] Auth check for resource %s %s %s for client failed: write permission requested',
resource, resource,
name, name,
routing_key, routing_key,
user,
) )
return DENY else:
except models.User.DoesNotExist:
LOGGER.error( LOGGER.error(
'[auth:topic_endpoint_webpageclient] Auth check for resource %s %s %s for client failed', "[topic] DENY %s %s %s '%s' for %s",
permission,
resource, resource,
name, name,
routing_key, routing_key,
user,
) )
return DENY return decision
def topic_endpoint_webpageclient(request, webpage_client_userid):
permission = request.POST.get('permission', [])
try:
models.User.objects.get(id=webpage_client_userid)
if not 'write' in permission:
return topic_auth_decision(request, ALLOW)
return topic_auth_decision(request, DENY)
except models.User.DoesNotExist:
return topic_auth_decision(request, DENY)
def topic_endpoint_apiclient(request, apiclient): def topic_endpoint_apiclient(request, apiclient):
name = request.POST.get('name', '') name = request.POST.get('name', '')
...@@ -227,13 +231,9 @@ def topic_endpoint_apiclient(request, apiclient): ...@@ -227,13 +231,9 @@ def topic_endpoint_apiclient(request, apiclient):
return ALLOW return ALLOW
elif name == 'sites': elif name == 'sites':
if routing_key == apiclient.site.name: if routing_key == apiclient.site.name:
return ALLOW return topic_auth_decision(request, ALLOW)
else:
LOGGER.error( return topic_auth_decision(request, DENY)
'[auth:topic_endpoint] Client of site %s tried to access site %s',
apiclient.site,
routing_key,
)
elif name == 'groups': elif name == 'groups':
try: try:
group = Group.objects.get(name=routing_key) group = Group.objects.get(name=routing_key)
...@@ -243,22 +243,18 @@ def topic_endpoint_apiclient(request, apiclient): ...@@ -243,22 +243,18 @@ def topic_endpoint_apiclient(request, apiclient):
services__groups=group, services__groups=group,
client=apiclient, client=apiclient,
) )
return ALLOW return topic_auth_decision(request, ALLOW)
except models.Site.MultipleObjectsReturned: except models.Site.MultipleObjectsReturned:
return ALLOW return topic_auth_decision(request, ALLOW)
except models.Site.DoesNotExist: except models.Site.DoesNotExist:
return DENY return topic_auth_decision(request, DENY)
except Group.DoesNotExist: except Group.DoesNotExist:
return DENY return topic_auth_decision(request, DENY)
LOGGER.error( return topic_auth_decision(request, DENY)
'[auth:topic_endpoint_apiclient] Authorization check for topic failed for %s',
request.POST,
)
return DENY
def topic_endpoint(request): def topic_endpoint(request):
if not _valid_vhost(request) or not _valid_permission(request): if not _valid_vhost(request) or not _valid_permission(request):
...@@ -272,6 +268,4 @@ def topic_endpoint(request): ...@@ -272,6 +268,4 @@ def topic_endpoint(request):
if apiclient: if apiclient:
return topic_endpoint_apiclient(request, apiclient) return topic_endpoint_apiclient(request, apiclient)
return topic_auth_decision(request, DENY)
LOGGER.error('[auth:topic_endpoint] Authorization check for topic failed for %s', request.POST)
return DENY
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment