def headerparserhandler(req): from mod_python.apache import HTTP_UNAUTHORIZED, HTTP_FORBIDDEN, OK control = MercurialAccessControl(req) if not control.is_authentic(): req.err_headers_out[ 'WWW-Authenticate'] = 'Basic realm="%s"' % control.options['realm'] return HTTP_UNAUTHORIZED # Check if blocked or expired if control.is_blocked(): return HTTP_FORBIDDEN if not control.has_permission(): if 'Authorization' not in req.headers_in: req.err_headers_out[ 'WWW-Authenticate'] = 'Basic realm="%s"' % control.options[ 'realm'] return HTTP_UNAUTHORIZED return HTTP_FORBIDDEN if not control.is_allowed_scheme('hg'): return HTTP_FORBIDDEN return OK
def headerparserhandler(req): from mod_python.apache import HTTP_UNAUTHORIZED, HTTP_FORBIDDEN, OK control = MercurialAccessControl(req) if not control.is_authentic(): req.err_headers_out['WWW-Authenticate'] = 'Basic realm="%s"' % control.options['realm'] return HTTP_UNAUTHORIZED # Check if blocked or expired if control.is_blocked(): return HTTP_FORBIDDEN if not control.has_permission(): if 'Authorization' not in req.headers_in: req.err_headers_out['WWW-Authenticate'] = 'Basic realm="%s"' % control.options['realm'] return HTTP_UNAUTHORIZED return HTTP_FORBIDDEN if not control.is_allowed_scheme('hg'): return HTTP_FORBIDDEN return OK
def testAccess(self): conf.use_test_db(True) self.load_fixtures() # Cartman has read access to storageauthtest # Simple read cases when having read access hgaccess = MercurialAccessControl(DummyReq('cartman', 'cartmans_pw', 'GET', '/hg/storageauthtest', 'cmd=stream_out')) self.assertTrue(hgaccess.has_permission()) hgaccess = MercurialAccessControl(DummyReq('cartman', 'cartmans_pw', 'GET', '/hg/storageauthtest', 'cmd=changegroupsubset')) self.assertTrue(hgaccess.has_permission()) # Simple write cases when having read access hgaccess = MercurialAccessControl(DummyReq('cartman', 'cartmans_pw', 'GET', '/hg/storageauthtest', 'cmd=unbundle')) self.assertFalse(hgaccess.has_permission()) hgaccess = MercurialAccessControl(DummyReq('cartman', 'cartmans_pw', 'GET', '/hg/storageauthtest', 'cmd=pushkey')) self.assertFalse(hgaccess.has_permission()) hgaccess = MercurialAccessControl(DummyReq('cartman', 'cartmans_pw', 'GET', '/hg/storageauthtest', 'cmd=stream_out&cmd=pushkey')) self.assertFalse(hgaccess.has_permission()) # Kenny has write access to storageauthtest # Simple read cases when having write access hgaccess = MercurialAccessControl(DummyReq('kenny', 'ohmygod', 'GET', '/hg/storageauthtest', 'cmd=stream_out')) self.assertTrue(hgaccess.has_permission()) hgaccess = MercurialAccessControl(DummyReq('kenny', 'ohmygod', 'GET', '/hg/storageauthtest', 'cmd=changegroupsubset')) self.assertTrue(hgaccess.has_permission()) # Simple write cases when having write access hgaccess = MercurialAccessControl(DummyReq('kenny', 'ohmygod', 'GET', '/hg/storageauthtest', 'cmd=unbundle')) self.assertTrue(hgaccess.has_permission()) hgaccess = MercurialAccessControl(DummyReq('kenny', 'ohmygod', 'GET', '/hg/storageauthtest', 'cmd=pushkey')) self.assertTrue(hgaccess.has_permission()) hgaccess = MercurialAccessControl(DummyReq('kenny', 'ohmygod', 'GET', '/hg/storageauthtest', 'cmd=stream_out&cmd=pushkey')) self.assertFalse(hgaccess.has_permission())
def testIsRead(self): # Should be read in case that # cmd not in perms or perms[cmd] != 'push' # Is not read if # cmd in perms and perms[cmd] = 'push' == not ( is_read ) # # perms = { # 'changegroup': 'pull', # 'changegroupsubset': 'pull', # 'stream_out': 'pull', # 'listkeys': 'pull', # 'unbundle': 'push', # 'pushkey': 'push', # } conf.use_test_db(False) # Simple read cases hgaccess = MercurialAccessControl(DummyReq('cartman', 'cartmans_pw', 'GET', '/hg/storageauthtest', 'cmd=stream_out')) self.assertTrue(hgaccess.is_read()) hgaccess = MercurialAccessControl(DummyReq('cartman', 'cartmans_pw', 'GET', '/hg/storageauthtest', 'cmd=changegroupsubset')) self.assertTrue(hgaccess.is_read()) # Simple write cases hgaccess = MercurialAccessControl(DummyReq('cartman', 'cartmans_pw', 'GET', '/hg/storageauthtest', 'cmd=unbundle')) self.assertFalse(hgaccess.is_read()) hgaccess = MercurialAccessControl(DummyReq('cartman', 'cartmans_pw', 'GET', '/hg/storageauthtest', 'cmd=pushkey')) self.assertFalse(hgaccess.is_read()) # What if cmd is given twice? One with read and one with write? Someone tries to disguise write access as read access # In this case it should test against the strongest command hgaccess = MercurialAccessControl(DummyReq('cartman', 'cartmans_pw', 'GET', '/hg/storageauthtest', 'cmd=stream_out&cmd=pushkey')) self.assertFalse(hgaccess.is_read()) hgaccess = MercurialAccessControl(DummyReq('cartman', 'cartmans_pw', 'GET', '/hg/storageauthtest', 'cmd=pushkey&cmd=stream_out')) self.assertFalse(hgaccess.is_read())
def testIsProtocolRequest(self): # No command => not protocol request hgaccess = MercurialAccessControl(DummyReq('cartman', 'cartmans_pw', 'GET', '/hg/storageauthtest', '')) self.assertFalse(hgaccess.is_protocol_request()) # Not protocol command => not protocol request hgaccess = MercurialAccessControl(DummyReq('cartman', 'cartmans_pw', 'GET', '/hg/storageauthtest', 'cmd=log')) self.assertFalse(hgaccess.is_protocol_request()) # Path continues after project name => not protocol request hgaccess = MercurialAccessControl(DummyReq('cartman', 'cartmans_pw', 'GET', '/hg/storageauthtest/branches', 'cmd=log')) self.assertFalse(hgaccess.is_protocol_request()) # Ending slash in the request and wrong command, => not protocol request hgaccess = MercurialAccessControl(DummyReq('cartman', 'cartmans_pw', 'GET', '/hg/storageauthtest/', 'cmd=log')) self.assertFalse(hgaccess.is_protocol_request()) # Ending slash in the request but no path, => protocol request hgaccess = MercurialAccessControl(DummyReq('cartman', 'cartmans_pw', 'GET', '/hg/storageauthtest/', 'cmd=branches')) self.assertTrue(hgaccess.is_protocol_request()) # Valid cmd, valid path => protocol request hgaccess = MercurialAccessControl(DummyReq('cartman', 'cartmans_pw', 'GET', '/hg/storageauthtest', 'cmd=branches&foo=bar')) self.assertTrue(hgaccess.is_protocol_request()) # Valid cmd, valid path => protocol request hgaccess = MercurialAccessControl(DummyReq('cartman', 'cartmans_pw', 'GET', '/hg/storageauthtest', 'foo=bar&cmd=branches')) self.assertTrue(hgaccess.is_protocol_request())