Implement authorization checks for clients

7e4f6229 · Lukas Burgey · 719e1fcb · 7e4f6229
Commit 7e4f6229 authored Mar 16, 2018 by Lukas Burgey
--- a/django_backend/backend/auth/v1/client_views.py
+++ b/django_backend/backend/auth/v1/client_views.py

 import logging
+import re
 from django.http import HttpResponse
 from django.contrib.auth import authenticate
+from ...models import User, RabbitMQInstance

 LOGGER = logging.getLogger(__name__)

+
+def _check_vhost(request):
+    if 'vhost' in request.POST and request.POST['vhost'] == RabbitMQInstance.load().vhost:
+        return True
+    LOGGER.error('illegal vhost requested')
+    return False
+
+def _check_permission(request):
+    if 'permission' in request.POST and request.POST['permission'] != 'write':
+        return True
+    LOGGER.error('illegal permission requested')
+    return False
+
+def _get_user(request):
+    if 'username' in request.POST:
+        return User.objects.filter(user_type='apiclient').get(username=request.POST['username'])
+    return None
+
+# client authentication for RabbitMQ
 def user_endpoint(request):
-    LOGGER.debug('RabbitMQ sent auth request')
    if 'username' in request.POST and 'password' in request.POST:
        username = request.POST['username']
        password = request.POST['password']
@@ -16,17 +36,54 @@ def user_endpoint(request):

            if user.is_superuser:
                return HttpResponse("allow administrator")
-            else:
-                return HttpResponse("allow management")
+
+            return HttpResponse("allow management")

    LOGGER.error('Failed to authenticate user for RabbitMQ')
    return HttpResponse("deny")

+
+# client authorization checks for RabbitMQ
 def vhost(request):
-    return HttpResponse("allow")
+    # check if on the correct virtual host
+    if _check_vhost(request):
+        return HttpResponse("allow")
+
+    LOGGER.error('Authorization check for vhost failed for %s', request.POST)
+    return HttpResponse("deny")

 def resource(request):
-    return HttpResponse("allow")
+    if _check_vhost(request):
+
+        if 'resource' in request.POST and 'name' in request.POST:
+            if request.POST['resource'] == 'queue':
+                # the temporary queue a client binds to our exchange
+                if request.POST['name'].startswith('amq.gen-'):
+                    return HttpResponse('allow')
+            elif request.POST['resource'] == 'exchange' and _check_permission(request):
+                # our exchange
+                if request.POST['name'] == RabbitMQInstance.load().exchange:
+                    return HttpResponse('allow')
+            elif request.POST['resource'] == 'topic' and _check_permission(request):
+                pass
+
+    LOGGER.error('Authorization check for resource failed for %s', request.POST)
+    return HttpResponse("deny")
+

 def topic(request):
-    return HttpResponse("allow")
+    # check if on the correct virtual host
+    if _check_vhost(request) and _check_permission(request):
+        user = _get_user(request)
+        if user:
+            if 'routing_key' in request.POST:
+                routing_key = request.POST['routing_key']
+                if routing_key.startswith('service.'):
+                    m = re.search('service.(.+)', routing_key)
+                    if m:
+                        service_name = m.group(1)
+                        for service in user.site.services.all():
+                            if service_name == service.name:
+                                return HttpResponse('allow')
+    LOGGER.error('Authorization check for topic failed for %s', request.POST)
+    return HttpResponse('deny')