Add permissions for user types

6cdc234b · Lukas Burgey · 859bb780 · 6cdc234b · 6cdc234b · 6cdc234b
Commit 6cdc234b authored Jan 30, 2020 by Lukas Burgey
--- a/feudal/backend/models/users.py
+++ b/feudal/backend/models/users.py
@@ -24,11 +24,16 @@ def user_info_default():
 class User(AbstractUser):
    USER_ALREADY_EXISTS = Exception('The user does already exist. This usually implies that the IdP changed the sub. Only possible fix: delete the old user')

+    TYPE_CHOICE_DOWNSTREAM = 'apiclient'
+    TYPE_CHOICE_USER = 'oidcuser'
+    TYPE_CHOICE_ADMIN = 'admin'
+    TYPE_CHOICE_UPSTREAM = 'upstream'
+
    TYPE_CHOICES = (
-        ('apiclient', 'Downstream Client'),     # clients which connect to us via pubsub
-        ('oidcuser', 'Webpage User'),           # normal users which logged in using the webpage
-        ('admin', 'Admin'),                     # admins of the django admin
-        ('upstream', 'Upstream Client'),        # E.g. an idP that provides us with fresh userinfos or access tokens
+        (TYPE_CHOICE_DOWNSTREAM, 'Downstream Client'),  # clients which connect to us via pubsub
+        (TYPE_CHOICE_USER, 'Webpage User'),             # normal users which logged in using the webpage
+        (TYPE_CHOICE_ADMIN, 'Admin'),                   # admins of the django admin
+        (TYPE_CHOICE_UPSTREAM, 'Upstream Client'),      # E.g. an idP that provides us with fresh userinfos or access tokens
    )
    user_type = models.CharField(
        max_length=20,

--- a/feudal/backend/permissions.py
+++ b/feudal/backend/permissions.py
+
+from rest_framework.permissions import IsAuthenticated
+
+from .models import User
+
+
+class TypeOnly(IsAuthenticated):
+    user_type = ''
+
+    def has_permission(self, request, view):
+        return super().has_permission(self, request, view) and request.user.user_type == self.user_type
+
+
+class UpstreamOnly(IsAuthenticated):
+    user_type = User.TYPE_CHOICE_UPSTREAM
+
+
+class DownstreamOnly(IsAuthenticated):
+    user_type = User.TYPE_CHOICE_DOWNSTREAM
+
+
+class UserOnly(IsAuthenticated):
+    user_type = User.TYPE_CHOICE_USER
--- a/feudal/backend/views/clients.py
+++ b/feudal/backend/views/clients.py
@@ -14,16 +14,19 @@ from feudal.backend.auth.v1.models.vo import VO, Group, Entitlement
 from feudal.backend.models import Site, Service, deployments
 from feudal.backend.models.brokers import RabbitMQInstance
 from feudal.backend.models.serializers import clients
+from feudal.backend.permissions import DownstreamOnly

 LOGGER = logging.getLogger(__name__)


 # authentication class for the client api
-AUTHENTICATION_CLASSES = (BasicAuthentication, )
+AUTHENTICATION_CLASSES = (BasicAuthentication,)
+PERMISSION_CLASSES = (DownstreamOnly,)


 class DeploymentStateView(generics.UpdateAPIView):
    authentication_classes = AUTHENTICATION_CLASSES
+    permission_classes = PERMISSION_CLASSES
    serializer_class = clients.DeploymentStateSerializer

    def get_object(self):
@@ -59,7 +62,6 @@ class DeploymentStateView(generics.UpdateAPIView):
                state.message,
            )

-
        # update the credential states of this deployment state
        state.client_credential_states(self.request.data.get('credential_states', {}))

@@ -75,6 +77,7 @@ class DeploymentStateView(generics.UpdateAPIView):

 class DeploymentStateListView(generics.ListAPIView):
    authentication_classes = AUTHENTICATION_CLASSES
+    permission_classes = PERMISSION_CLASSES
    serializer_class = clients.DeploymentStateSerializer

    def get_queryset(self):
@@ -88,6 +91,7 @@ class DeploymentStateListView(generics.ListAPIView):
 # the client has to fetch the configuration
 class ConfigurationView(views.APIView):
    authentication_classes = AUTHENTICATION_CLASSES
+    permission_classes = PERMISSION_CLASSES

    sid_to_service = {}

@@ -109,7 +113,6 @@ class ConfigurationView(views.APIView):
        for dep in vo.vo_deployments.all():
            dep.update()

-
    # returns the service ID to service mapping contained in the request
    def parse_sid_to_service(self, request):
        self.sid_to_service = {}
@@ -192,6 +195,7 @@ class ConfigurationView(views.APIView):

 class DeregisterView(views.APIView):
    authentication_classes = AUTHENTICATION_CLASSES
+    permission_classes = PERMISSION_CLASSES

    def put(self, request):


--- a/feudal/backend/views/rest.py
+++ b/feudal/backend/views/rest.py
@@ -11,6 +11,7 @@ from rest_framework.permissions import AllowAny
 from feudal.backend.auth.v1.models.serializers import VOSerializer
 from feudal.backend.auth.v1.models.vo import VO
 from feudal.backend.models import serializers, deployments, Service
+from feudal.backend.permissions import UserOnly

 LOGGER = logging.getLogger(__name__)
 HELP_TEXT = """
@@ -51,6 +52,8 @@ state/<id>      GET     Show your deployment state with id <id>
                        deployment state has state=questionnaire
 """

+PERMISSION_CLASSES = (UserOnly,)
+

 class HelpView(views.APIView):
    permission_classes = (AllowAny,)
@@ -60,6 +63,7 @@ class HelpView(views.APIView):


 class UserDeletionView(generics.RetrieveDestroyAPIView):
+    permission_classes = PERMISSION_CLASSES
    serializer_class = serializers.UserStateSerializer

    def get_object(self):
@@ -72,6 +76,7 @@ class UserDeletionView(generics.RetrieveDestroyAPIView):


 class ServiceListView(generics.ListAPIView):
+    permission_classes = PERMISSION_CLASSES
    serializer_class = serializers.ServiceSerializer

    def get_queryset(self):
@@ -79,6 +84,7 @@ class ServiceListView(generics.ListAPIView):


 class ServiceView(generics.RetrieveAPIView):
+    permission_classes = PERMISSION_CLASSES
    serializer_class = serializers.ServiceSerializer

    def get_object(self):
@@ -89,6 +95,7 @@ class ServiceView(generics.RetrieveAPIView):


 class VOListView(generics.ListAPIView):
+    permission_classes = PERMISSION_CLASSES
    serializer_class = VOSerializer

    def get_queryset(self):
@@ -96,6 +103,7 @@ class VOListView(generics.ListAPIView):


 class VOView(generics.RetrieveAPIView):
+    permission_classes = PERMISSION_CLASSES
    serializer_class = VOSerializer

    def get_object(self):
@@ -106,6 +114,7 @@ class VOView(generics.RetrieveAPIView):


 class SSHPublicKeyListView(generics.ListCreateAPIView):
+    permission_classes = PERMISSION_CLASSES
    serializer_class = serializers.SSHPublicKeySerializer

    def get_queryset(self):
@@ -117,6 +126,7 @@ class SSHPublicKeyListView(generics.ListCreateAPIView):


 class SSHPublicKeyView(generics.RetrieveDestroyAPIView):
+    permission_classes = PERMISSION_CLASSES
    serializer_class = serializers.SSHPublicKeySerializer

    def get_object(self):
@@ -130,6 +140,7 @@ class SSHPublicKeyView(generics.RetrieveDestroyAPIView):


 class DeploymentListView(generics.ListAPIView):
+    permission_classes = PERMISSION_CLASSES
    serializer_class = serializers.DeploymentSerializer

    def get_queryset(self):
@@ -142,6 +153,7 @@ class DeploymentListView(generics.ListAPIView):


 class DeploymentView(generics.RetrieveUpdateAPIView):
+    permission_classes = PERMISSION_CLASSES
    serializer_class = serializers.DeploymentSerializer

    def get_serializer_context(self):
@@ -199,6 +211,7 @@ class DeploymentView(generics.RetrieveUpdateAPIView):


 class DeploymentStateListView(generics.ListCreateAPIView):
+    permission_classes = PERMISSION_CLASSES
    serializer_class = serializers.DeploymentStateSerializer

    def get_queryset(self):
@@ -206,6 +219,7 @@ class DeploymentStateListView(generics.ListCreateAPIView):


 class DeploymentStateView(generics.RetrieveUpdateAPIView):
+    permission_classes = PERMISSION_CLASSES
    serializer_class = serializers.DeploymentStateSerializer

    def get_object(self):