Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
feudal
feudalBackend
Commits
d23200c4
Commit
d23200c4
authored
Jul 27, 2018
by
Lukas Burgey
Browse files
Line some code
parent
b28029fd
Changes
4
Hide whitespace changes
Inline
Side-by-side
feudal/backend/auth/v1/views/clients.py
View file @
d23200c4
# pylint: disable=too-many-return-statements
import
logging
import
re
...
...
@@ -136,8 +137,7 @@ def _resource_authorized_apiclient(request):
and
name
.
startswith
(
'amq.gen-'
)
)
or
(
resource
==
'exchange'
# TODO
#and name in RabbitMQInstance.load().exchanges
and
name
in
RabbitMQInstance
.
load
().
exchanges
and
not
'write'
in
permission
)
...
...
@@ -181,77 +181,91 @@ def resource_endpoint(request):
)
return
DENY
def
topic_endpoint
(
request
):
def
topic_endpoint
_webpageclient
(
request
,
webpage_client_userid
):
permission
=
request
.
POST
.
get
(
'permission'
,
[])
resource
=
request
.
POST
.
get
(
'resource'
,
''
)
name
=
request
.
POST
.
get
(
'name'
,
''
)
routing_key
=
request
.
POST
.
get
(
'routing_key'
,
''
)
if
not
_valid_vhost
(
request
)
or
not
_valid_permission
(
request
):
return
DENY
webpage_client_userid
=
_webpage_client_userid
(
request
)
if
webpage_client_userid
:
if
(
routing_key
==
webpage_client_userid
and
not
'write'
in
permission
):
if
CLIENT_DEBUGGING
:
LOGGER
.
debug
(
'[auth:topic_endpoint] Granted %s access to %s %s to client'
,
permission
,
resource
,
routing_key
,
)
if
(
routing_key
==
webpage_client_userid
and
not
'write'
in
permission
):
if
CLIENT_DEBUGGING
:
LOGGER
.
debug
(
'[auth:topic_endpoint] Granted %s access to %s %s to client'
,
permission
,
resource
,
routing_key
,
)
return
ALLOW
LOGGER
.
error
(
'[auth:topic_endpoint
] Authorization
check for resource %s %s %s for client failed'
,
resource
,
name
,
routing_key
,
)
return
DENY
LOGGER
.
error
(
'[auth:topic_endpoint
_webpageclient] Auth
check for resource %s %s %s for client failed'
,
resource
,
name
,
routing_key
,
)
return
DENY
user
=
_apiclient_get
(
request
)
if
user
:
routing_key
=
request
.
POST
.
get
(
'routing_key'
,
''
)
if
name
==
'services'
:
if
routing_key
.
startswith
(
'service.'
):
match
=
re
.
search
(
'service.(.+)'
,
routing_key
)
if
match
:
service_name
=
match
.
group
(
1
)
if
user
.
site
.
services
.
filter
(
name
=
service_name
).
exists
():
return
ALLOW
elif
name
==
'sites'
:
if
routing_key
==
user
.
site
.
name
:
return
ALLOW
else
:
LOGGER
.
error
(
'[auth:topic_endpoint] Client of site %s tried to access site %s'
,
user
.
site
,
routing_key
,
)
elif
name
==
'groups'
:
try
:
group
=
Group
.
objects
.
get
(
name
=
routing_key
)
def
topic_endpoint_apiclient
(
request
,
apiclient
):
name
=
request
.
POST
.
get
(
'name'
,
''
)
routing_key
=
request
.
POST
.
get
(
'routing_key'
,
''
)
try
:
Site
.
objects
.
get
(
services__groups
=
group
,
client
=
user
,
)
if
name
==
'services'
:
if
routing_key
.
startswith
(
'service.'
):
match
=
re
.
search
(
'service.(.+)'
,
routing_key
)
if
match
:
service_name
=
match
.
group
(
1
)
if
apiclient
.
site
.
services
.
filter
(
name
=
service_name
).
exists
():
return
ALLOW
elif
name
==
'sites'
:
if
routing_key
==
apiclient
.
site
.
name
:
return
ALLOW
else
:
LOGGER
.
error
(
'[auth:topic_endpoint] Client of site %s tried to access site %s'
,
apiclient
.
site
,
routing_key
,
)
elif
name
==
'groups'
:
try
:
group
=
Group
.
objects
.
get
(
name
=
routing_key
)
except
Site
.
MultipleObjectsReturned
:
return
ALLOW
try
:
Site
.
objects
.
get
(
services__groups
=
group
,
client
=
apiclient
,
)
return
ALLOW
except
Site
.
DoesNotExist
:
return
DENY
except
Site
.
MultipleObjectsReturned
:
return
ALLOW
except
Group
.
DoesNotExist
:
except
Site
.
DoesNotExist
:
return
DENY
except
Group
.
DoesNotExist
:
return
DENY
LOGGER
.
error
(
'[auth:topic_endpoint_apiclient] Authorization check for topic failed for %s'
,
request
.
POST
,
)
return
DENY
def
topic_endpoint
(
request
):
if
not
_valid_vhost
(
request
)
or
not
_valid_permission
(
request
):
return
DENY
webpage_client_userid
=
_webpage_client_userid
(
request
)
if
webpage_client_userid
:
return
topic_endpoint_webpageclient
(
request
,
webpage_client_userid
)
apiclient
=
_apiclient_get
(
request
)
if
apiclient
:
return
topic_endpoint_apiclient
(
request
,
apiclient
)
LOGGER
.
error
(
'[auth:topic_endpoint] Authorization check for topic failed for %s'
,
request
.
POST
)
return
DENY
feudal/backend/auth/v1/views/webpage.py
View file @
d23200c4
...
...
@@ -52,8 +52,8 @@ class Auth(View):
LOGGER
.
debug
(
'Auth: redirecting %s to IdP %s'
,
state
,
oidc_config
)
return
redirect
(
auth_redirect
)
except
Exception
as
exception
:
LOGGER
.
error
(
'
Auth: %s'
,
exception
)
except
OIDCConfig
.
DoesNotExist
:
LOGGER
.
error
(
'
OIDCConfig is not available'
)
# the error is deleted from the session when the state is delivered
request
.
session
[
'error'
]
=
'Server Error'
...
...
feudal/backend/models/__init__.py
View file @
d23200c4
...
...
@@ -95,8 +95,6 @@ class Service(models.Model):
).
distinct
():
LOGGER
.
debug
(
user
.
msg
(
'New service for group. Adding to deployment'
))
# all group deployments have the same keys
# TODO check that assumption
try
:
deployment
=
user
.
deployments
.
get
(
group
=
group
)
deployment
.
service_added
(
self
)
...
...
@@ -113,7 +111,6 @@ class SSHPublicKey(models.Model):
max_length
=
1000
)
# hidden field at the user
# TODO checks: if the user is null
user
=
models
.
ForeignKey
(
User
,
related_name
=
'_ssh_keys'
,
...
...
@@ -626,7 +623,6 @@ class DeploymentStateItem(models.Model):
def
user_deploy
(
self
):
if
self
.
state
==
'removal_pending'
:
self
.
_set_state
(
'deployed'
)
# TODO this is now valid
return
if
self
.
state
==
'deployed'
:
...
...
@@ -648,7 +644,6 @@ class DeploymentStateItem(models.Model):
self
.
state
==
'deployment_pending'
or
self
.
state
==
'questionnaire'
):
# TODO this is not valid
self
.
_set_state
(
'not_deployed'
)
return
...
...
feudal/backend/views/clients.py
View file @
d23200c4
import
logging
from
django.contrib.auth.models
import
Group
from
rest_framework
import
generics
,
views
from
rest_framework.authentication
import
BasicAuthentication
from
rest_framework.response
import
Response
from
..models.brokers
import
RabbitMQInstance
from
..models.serializers.webpage
import
DeploymentStateSerializer
from
..models.serializers.clients
import
RabbitMQInstanceSerializer
...
...
@@ -35,11 +35,6 @@ class ConfigurationView(views.APIView):
#services = request.data.get('services', None)
group_to_services
=
request
.
data
.
get
(
'group_to_services'
,
None
)
# TODO check if client has new services
#if services is not None:
# for service in services:
# pass
if
group_to_services
is
not
None
:
for
group_name
,
group_service_list
in
group_to_services
.
items
():
group
=
None
...
...
@@ -132,28 +127,18 @@ class ResponseView(views.APIView):
return
response_view_error
(
err
)
# find the corresponding DeploymentStateItem for this response
state_item
=
None
query
=
client_site
.
state_items
.
filter
(
parent__id
=
int
(
state_id
),
site
=
client_site
,
service
=
service
,
)
if
query
.
exists
():
if
len
(
query
)
==
1
:
state_item
=
query
.
first
()
else
:
LOGGER
.
error
(
'[ResponseView] ambiguous DStateItem'
)
return
response_view_error
(
'ambiguous DeploymentStateItem'
)
else
:
LOGGER
.
error
(
'[ResponseView] No matching DStateItem'
)
return
response_view_error
(
'no matching DeploymentStateItem'
)
if
state_item
is
not
None
:
try
:
state_item
=
client_site
.
state_items
.
get
(
parent__id
=
int
(
state_id
),
site
=
client_site
,
service
=
service
,
)
err
=
state_item
.
client_response
(
output
)
if
err
is
not
None
:
LOGGER
.
error
(
'[ResponseView] Error parsing response from %s: %s'
,
request
.
user
,
err
)
return
response_view_error
(
err
)
return
Response
({})
LOGGER
.
info
(
'[ResponseView] %s executed the obsolete state#%s'
,
request
.
user
,
state_id
)
return
response_view_error
(
'obsolete state'
)
except
models
.
DeploymentStateItem
.
DoesNotExist
:
LOGGER
.
error
(
'[ResponseView] No matching DStateItem'
)
return
response_view_error
(
'no matching DeploymentStateItem'
)
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment