Line some code

d23200c4 · Lukas Burgey · b28029fd · d23200c4 · d23200c4 · d23200c4
Commit d23200c4 authored Jul 27, 2018 by Lukas Burgey
--- a/feudal/backend/auth/v1/views/clients.py
+++ b/feudal/backend/auth/v1/views/clients.py
+# pylint: disable=too-many-return-statements

 import logging
 import re
@@ -136,8 +137,7 @@ def _resource_authorized_apiclient(request):
        and name.startswith('amq.gen-')
    ) or (
        resource == 'exchange'
-        # TODO
-        #and name in RabbitMQInstance.load().exchanges
+        and name in RabbitMQInstance.load().exchanges
        and not 'write' in permission
    )

@@ -181,77 +181,91 @@ def resource_endpoint(request):
    )
    return DENY

-def topic_endpoint(request):
+def topic_endpoint_webpageclient(request, webpage_client_userid):
    permission = request.POST.get('permission', [])
    resource = request.POST.get('resource', '')
    name = request.POST.get('name', '')
    routing_key = request.POST.get('routing_key', '')

-    if not _valid_vhost(request) or not _valid_permission(request):
-        return DENY
-
-    webpage_client_userid = _webpage_client_userid(request)
-    if webpage_client_userid:
-        if (
-                routing_key == webpage_client_userid
-                and not 'write' in permission
-        ):
-            if CLIENT_DEBUGGING:
-                LOGGER.debug(
-                    '[auth:topic_endpoint] Granted %s access to %s %s to client',
-                    permission,
-                    resource,
-                    routing_key,
-                )
+    if (
+            routing_key == webpage_client_userid
+            and not 'write' in permission
+    ):
+        if CLIENT_DEBUGGING:
+            LOGGER.debug(
+                '[auth:topic_endpoint] Granted %s access to %s %s to client',
+                permission,
+                resource,
+                routing_key,
+            )
            return ALLOW

-        LOGGER.error(
-            '[auth:topic_endpoint] Authorization check for resource %s %s %s for client failed',
-            resource,
-            name,
-            routing_key,
-        )
-        return DENY
+    LOGGER.error(
+        '[auth:topic_endpoint_webpageclient] Auth check for resource %s %s %s for client failed',
+        resource,
+        name,
+        routing_key,
+    )
+    return DENY

-    user = _apiclient_get(request)
-    if user:
-        routing_key = request.POST.get('routing_key', '')
-        if name == 'services':
-            if routing_key.startswith('service.'):
-                match = re.search('service.(.+)', routing_key)
-                if match:
-                    service_name = match.group(1)
-                    if user.site.services.filter(name=service_name).exists():
-                        return ALLOW
-        elif name == 'sites':
-            if routing_key == user.site.name:
-                return ALLOW
-            else:
-                LOGGER.error(
-                    '[auth:topic_endpoint] Client of site %s tried to access site %s',
-                    user.site,
-                    routing_key,
-                )
-        elif name == 'groups':
-            try:
-                group = Group.objects.get(name=routing_key)
+def topic_endpoint_apiclient(request, apiclient):
+    name = request.POST.get('name', '')
+    routing_key = request.POST.get('routing_key', '')

-                try:
-                    Site.objects.get(
-                        services__groups=group,
-                        client=user,
-                    )
+    if name == 'services':
+        if routing_key.startswith('service.'):
+            match = re.search('service.(.+)', routing_key)
+            if match:
+                service_name = match.group(1)
+                if apiclient.site.services.filter(name=service_name).exists():
                    return ALLOW
+    elif name == 'sites':
+        if routing_key == apiclient.site.name:
+            return ALLOW
+        else:
+            LOGGER.error(
+                '[auth:topic_endpoint] Client of site %s tried to access site %s',
+                apiclient.site,
+                routing_key,
+            )
+    elif name == 'groups':
+        try:
+            group = Group.objects.get(name=routing_key)

-                except Site.MultipleObjectsReturned:
-                    return ALLOW
+            try:
+                Site.objects.get(
+                    services__groups=group,
+                    client=apiclient,
+                )
+                return ALLOW

-                except Site.DoesNotExist:
-                    return DENY
+            except Site.MultipleObjectsReturned:
+                return ALLOW

-            except Group.DoesNotExist:
+            except Site.DoesNotExist:
                return DENY

+        except Group.DoesNotExist:
+            return DENY
+
+    LOGGER.error(
+        '[auth:topic_endpoint_apiclient] Authorization check for topic failed for %s',
+        request.POST,
+    )
+    return DENY
+
+def topic_endpoint(request):
+    if not _valid_vhost(request) or not _valid_permission(request):
+        return DENY
+
+    webpage_client_userid = _webpage_client_userid(request)
+    if webpage_client_userid:
+        return topic_endpoint_webpageclient(request, webpage_client_userid)
+
+    apiclient = _apiclient_get(request)
+    if apiclient:
+        return topic_endpoint_apiclient(request, apiclient)
+

    LOGGER.error('[auth:topic_endpoint] Authorization check for topic failed for %s', request.POST)
    return DENY
--- a/feudal/backend/auth/v1/views/webpage.py
+++ b/feudal/backend/auth/v1/views/webpage.py
@@ -52,8 +52,8 @@ class Auth(View):
            LOGGER.debug('Auth: redirecting %s to IdP %s', state, oidc_config)
            return redirect(auth_redirect)

-        except Exception as exception:
-            LOGGER.error('Auth: %s', exception)
+        except OIDCConfig.DoesNotExist:
+            LOGGER.error('OIDCConfig is not available')

            # the error is deleted from the session when the state is delivered
            request.session['error'] = 'Server Error'

--- a/feudal/backend/models/__init__.py
+++ b/feudal/backend/models/__init__.py
@@ -95,8 +95,6 @@ class Service(models.Model):
            ).distinct():
                LOGGER.debug(user.msg('New service for group. Adding to deployment'))

-                # all group deployments have the same keys
-                # TODO check that assumption
                try:
                    deployment = user.deployments.get(group=group)
                    deployment.service_added(self)
@@ -113,7 +111,6 @@ class SSHPublicKey(models.Model):
        max_length=1000
    )
    # hidden field at the user
-    # TODO checks: if the user is null
    user = models.ForeignKey(
        User,
        related_name='_ssh_keys',
@@ -626,7 +623,6 @@ class DeploymentStateItem(models.Model):
    def user_deploy(self):
        if self.state == 'removal_pending':
            self._set_state('deployed')
-            # TODO this is now valid
            return

        if self.state == 'deployed':
@@ -648,7 +644,6 @@ class DeploymentStateItem(models.Model):
                self.state == 'deployment_pending'
                or self.state == 'questionnaire'
        ):
-            # TODO this is not valid
            self._set_state('not_deployed')
            return


--- a/feudal/backend/views/clients.py
+++ b/feudal/backend/views/clients.py

 import logging
+
 from django.contrib.auth.models import Group
 from rest_framework import generics, views
 from rest_framework.authentication import BasicAuthentication
 from rest_framework.response import Response

-
 from ..models.brokers import RabbitMQInstance
 from ..models.serializers.webpage import DeploymentStateSerializer
 from ..models.serializers.clients import RabbitMQInstanceSerializer
@@ -35,11 +35,6 @@ class ConfigurationView(views.APIView):
        #services = request.data.get('services', None)
        group_to_services = request.data.get('group_to_services', None)

-        # TODO check if client has new services
-        #if services is not None:
-        #    for service in services:
-        #        pass
-
        if group_to_services is not None:
            for group_name, group_service_list in group_to_services.items():
                group = None
@@ -132,28 +127,18 @@ class ResponseView(views.APIView):
            return response_view_error(err)

        # find the corresponding DeploymentStateItem for this response
-        state_item = None
-        query = client_site.state_items.filter(
-            parent__id=int(state_id),
-            site=client_site,
-            service=service,
-        )
-        if query.exists():
-            if len(query) == 1:
-                state_item = query.first()
-            else:
-                LOGGER.error('[ResponseView] ambiguous DStateItem')
-                return response_view_error('ambiguous DeploymentStateItem')
-        else:
-            LOGGER.error('[ResponseView] No matching DStateItem')
-            return response_view_error('no matching DeploymentStateItem')
-
-        if state_item is not None:
+        try:
+            state_item = client_site.state_items.get(
+                parent__id=int(state_id),
+                site=client_site,
+                service=service,
+            )
            err = state_item.client_response(output)
            if err is not None:
                LOGGER.error('[ResponseView] Error parsing response from %s: %s', request.user, err)
                return response_view_error(err)
            return Response({})

-        LOGGER.info('[ResponseView] %s executed the obsolete state#%s', request.user, state_id)
-        return response_view_error('obsolete state')
+        except models.DeploymentStateItem.DoesNotExist:
+            LOGGER.error('[ResponseView] No matching DStateItem')
+            return response_view_error('no matching DeploymentStateItem')