Commit 7e4f6229 authored by Lukas Burgey's avatar Lukas Burgey
Browse files

Implement authorization checks for clients

parent 719e1fcb
import logging import logging
import re
from django.http import HttpResponse from django.http import HttpResponse
from django.contrib.auth import authenticate from django.contrib.auth import authenticate
from ...models import User, RabbitMQInstance
LOGGER = logging.getLogger(__name__) LOGGER = logging.getLogger(__name__)
def _check_vhost(request):
if 'vhost' in request.POST and request.POST['vhost'] == RabbitMQInstance.load().vhost:
return True
LOGGER.error('illegal vhost requested')
return False
def _check_permission(request):
if 'permission' in request.POST and request.POST['permission'] != 'write':
return True
LOGGER.error('illegal permission requested')
return False
def _get_user(request):
if 'username' in request.POST:
return User.objects.filter(user_type='apiclient').get(username=request.POST['username'])
return None
# client authentication for RabbitMQ
def user_endpoint(request): def user_endpoint(request):
LOGGER.debug('RabbitMQ sent auth request')
if 'username' in request.POST and 'password' in request.POST: if 'username' in request.POST and 'password' in request.POST:
username = request.POST['username'] username = request.POST['username']
password = request.POST['password'] password = request.POST['password']
...@@ -16,17 +36,54 @@ def user_endpoint(request): ...@@ -16,17 +36,54 @@ def user_endpoint(request):
if user.is_superuser: if user.is_superuser:
return HttpResponse("allow administrator") return HttpResponse("allow administrator")
else:
return HttpResponse("allow management") return HttpResponse("allow management")
LOGGER.error('Failed to authenticate user for RabbitMQ') LOGGER.error('Failed to authenticate user for RabbitMQ')
return HttpResponse("deny") return HttpResponse("deny")
# client authorization checks for RabbitMQ
def vhost(request): def vhost(request):
return HttpResponse("allow") # check if on the correct virtual host
if _check_vhost(request):
return HttpResponse("allow")
LOGGER.error('Authorization check for vhost failed for %s', request.POST)
return HttpResponse("deny")
def resource(request): def resource(request):
return HttpResponse("allow") if _check_vhost(request):
if 'resource' in request.POST and 'name' in request.POST:
if request.POST['resource'] == 'queue':
# the temporary queue a client binds to our exchange
if request.POST['name'].startswith('amq.gen-'):
return HttpResponse('allow')
elif request.POST['resource'] == 'exchange' and _check_permission(request):
# our exchange
if request.POST['name'] == RabbitMQInstance.load().exchange:
return HttpResponse('allow')
elif request.POST['resource'] == 'topic' and _check_permission(request):
pass
LOGGER.error('Authorization check for resource failed for %s', request.POST)
return HttpResponse("deny")
def topic(request): def topic(request):
return HttpResponse("allow") # check if on the correct virtual host
if _check_vhost(request) and _check_permission(request):
user = _get_user(request)
if user:
if 'routing_key' in request.POST:
routing_key = request.POST['routing_key']
if routing_key.startswith('service.'):
m = re.search('service.(.+)', routing_key)
if m:
service_name = m.group(1)
for service in user.site.services.all():
if service_name == service.name:
return HttpResponse('allow')
LOGGER.error('Authorization check for topic failed for %s', request.POST)
return HttpResponse('deny')
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment