Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
What's new
10
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Open sidebar
feudal
feudalBackend
Commits
7e4f6229
Commit
7e4f6229
authored
Mar 16, 2018
by
Lukas Burgey
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Implement authorization checks for clients
parent
719e1fcb
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
63 additions
and
6 deletions
+63
-6
django_backend/backend/auth/v1/client_views.py
django_backend/backend/auth/v1/client_views.py
+63
-6
No files found.
django_backend/backend/auth/v1/client_views.py
View file @
7e4f6229
import
logging
import
re
from
django.http
import
HttpResponse
from
django.contrib.auth
import
authenticate
from
...models
import
User
,
RabbitMQInstance
LOGGER
=
logging
.
getLogger
(
__name__
)
def
_check_vhost
(
request
):
if
'vhost'
in
request
.
POST
and
request
.
POST
[
'vhost'
]
==
RabbitMQInstance
.
load
().
vhost
:
return
True
LOGGER
.
error
(
'illegal vhost requested'
)
return
False
def
_check_permission
(
request
):
if
'permission'
in
request
.
POST
and
request
.
POST
[
'permission'
]
!=
'write'
:
return
True
LOGGER
.
error
(
'illegal permission requested'
)
return
False
def
_get_user
(
request
):
if
'username'
in
request
.
POST
:
return
User
.
objects
.
filter
(
user_type
=
'apiclient'
).
get
(
username
=
request
.
POST
[
'username'
])
return
None
# client authentication for RabbitMQ
def
user_endpoint
(
request
):
LOGGER
.
debug
(
'RabbitMQ sent auth request'
)
if
'username'
in
request
.
POST
and
'password'
in
request
.
POST
:
username
=
request
.
POST
[
'username'
]
password
=
request
.
POST
[
'password'
]
...
...
@@ -16,17 +36,54 @@ def user_endpoint(request):
if
user
.
is_superuser
:
return
HttpResponse
(
"allow administrator"
)
else
:
return
HttpResponse
(
"allow management"
)
return
HttpResponse
(
"allow management"
)
LOGGER
.
error
(
'Failed to authenticate user for RabbitMQ'
)
return
HttpResponse
(
"deny"
)
# client authorization checks for RabbitMQ
def
vhost
(
request
):
return
HttpResponse
(
"allow"
)
# check if on the correct virtual host
if
_check_vhost
(
request
):
return
HttpResponse
(
"allow"
)
LOGGER
.
error
(
'Authorization check for vhost failed for %s'
,
request
.
POST
)
return
HttpResponse
(
"deny"
)
def
resource
(
request
):
return
HttpResponse
(
"allow"
)
if
_check_vhost
(
request
):
if
'resource'
in
request
.
POST
and
'name'
in
request
.
POST
:
if
request
.
POST
[
'resource'
]
==
'queue'
:
# the temporary queue a client binds to our exchange
if
request
.
POST
[
'name'
].
startswith
(
'amq.gen-'
):
return
HttpResponse
(
'allow'
)
elif
request
.
POST
[
'resource'
]
==
'exchange'
and
_check_permission
(
request
):
# our exchange
if
request
.
POST
[
'name'
]
==
RabbitMQInstance
.
load
().
exchange
:
return
HttpResponse
(
'allow'
)
elif
request
.
POST
[
'resource'
]
==
'topic'
and
_check_permission
(
request
):
pass
LOGGER
.
error
(
'Authorization check for resource failed for %s'
,
request
.
POST
)
return
HttpResponse
(
"deny"
)
def
topic
(
request
):
return
HttpResponse
(
"allow"
)
# check if on the correct virtual host
if
_check_vhost
(
request
)
and
_check_permission
(
request
):
user
=
_get_user
(
request
)
if
user
:
if
'routing_key'
in
request
.
POST
:
routing_key
=
request
.
POST
[
'routing_key'
]
if
routing_key
.
startswith
(
'service.'
):
m
=
re
.
search
(
'service.(.+)'
,
routing_key
)
if
m
:
service_name
=
m
.
group
(
1
)
for
service
in
user
.
site
.
services
.
all
():
if
service_name
==
service
.
name
:
return
HttpResponse
(
'allow'
)
LOGGER
.
error
(
'Authorization check for topic failed for %s'
,
request
.
POST
)
return
HttpResponse
(
'deny'
)
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment