def __init__(self,
openid_provider,
check_certificate=True,
**kwargs):
unknown = []
self.permissions = {}
for group in kwargs:
self.permissions[group] = []
for perm in kwargs[group]:
if perm in Authz.knownActions:
self.permissions[group].append(perm)
else:
unknown.append(perm)
self.openid_provider = openid_provider
self.sessions = SessionManager()
self.init_childs = False
if not check_certificate:
setDefaultFetcher(Urllib2Fetcher())
# This makes us get self.master as per baseweb.py:472
self.auth = self
# This makes the login form be a link
self.useHttpHeader = True
self.httpLoginUrl = '/_openid_start/'
if unknown != []:
raise ValueError('Unknown authorization action(s) ' +
', '.join(unknown))
def __init__(self, url, client_id, client_secret, root_uri, **kwargs):
unknown = []
self.permissions = {}
for group in kwargs:
self.permissions[group] = []
for perm in kwargs[group]:
if perm in Authz.knownActions:
self.permissions[group].append(perm)
else:
unknown.append(perm)
self.url = url
self.client_id = client_id
self.client_secret = client_secret
self.root_uri = root_uri
self.sessions = SessionManager()
self.init_childs = False
# This makes us get self.master as per baseweb.py:472
self.auth = self
# This makes the login form be a link
self.useHttpHeader = True
self.httpLoginUrl = '/_github_oauth2_handler'
if unknown != []:
raise ValueError('Unknown authorization action(s) ' +
', '.join(unknown))
def __init__(self,
default_action=False,
auth=None,
useHttpHeader=False,
httpLoginUrl=False,
view=True,
**kwargs):
self.auth = auth
if auth:
assert IAuth.providedBy(auth)
self.useHttpHeader = useHttpHeader
self.httpLoginUrl = httpLoginUrl
self.config = dict((a, default_action) for a in self.knownActions)
self.config['view'] = view
for act in self.knownActions:
if act in kwargs:
self.config[act] = kwargs[act]
del kwargs[act]
self.sessions = SessionManager()
if kwargs:
raise ValueError("unknown authorization action(s) " +
", ".join(kwargs.keys()))
def __init__(self, url, client_id, client_secret, root_uri, **kwargs):
unknown = []
self.permissions = {}
for group in kwargs:
self.permissions[group] = []
for perm in kwargs[group]:
if perm in Authz.knownActions:
self.permissions[group].append(perm)
else:
unknown.append(perm)
self.url = url
self.client_id = client_id
self.client_secret = client_secret
self.root_uri = root_uri
self.sessions = SessionManager()
self.init_childs = False
# This makes us get self.master as per baseweb.py:472
self.auth = self
# This makes the login form be a link
self.useHttpHeader = True
self.httpLoginUrl = "/_google_oauth2_handler"
if unknown != []:
raise ValueError("Unknown authorization action(s) " + ", ".join(unknown))
def __init__(self,
default_action=False,
auth=None,
useHttpHeader=False,
httpLoginUrl=False,
**kwargs):
self.auth = auth
if auth:
assert IAuth.providedBy(auth)
self.useHttpHeader = useHttpHeader
if httpLoginUrl:
self.httpLoginUrl = httpLoginUrl
elif auth is not None:
self.httpLoginUrl = auth.getLoginUrl()
else:
self.httpLoginUrl = None
self.config = dict( (a, default_action) for a in self.knownActions )
for act in self.knownActions:
if act in kwargs:
self.config[act] = kwargs[act]
del kwargs[act]
self.sessions = SessionManager()
if kwargs:
raise ValueError("unknown authorization action(s) " + ", ".join(kwargs.keys()))
def __init__(self,
openid_provider,
check_certificate=True,
**kwargs):
unknown = []
self.permissions = {}
for group in kwargs:
# Work around the limitations of python identifiers:
# python identifiers don't support dashes, while unix group names do
# This is admittedly a hack, but if you have a better way: a PR is welcome
group = group.replace('_DASH_', '-')
self.permissions[group] = []
for perm in kwargs[group]:
if perm in Authz.knownActions:
self.permissions[group].append(perm)
else:
unknown.append(perm)
self.openid_provider = openid_provider
self.sessions = SessionManager()
self.init_childs = False
if not check_certificate:
setDefaultFetcher(Urllib2Fetcher())
# This makes us get self.master as per baseweb.py:472
self.auth = self
# This makes the login form be a link
self.useHttpHeader = True
if unknown != []:
raise ValueError('Unknown authorization action(s) ' +
', '.join(unknown))
class OpenIDHandle(object):
def __init__(self, root_url):
self.root_url = root_url
self.isLeaf = True
self.sessions = SessionManager()
def flatten_args(self, request):
# Flatten args (twisted returns arrays). Just always take first
args = {}
for arg in request.args:
args[arg] = request.args.get(arg)[0]
return args
def render(self, request):
session = {}
return_to = self.root_url + '_openid_handle/'
oidconsumer = consumer.Consumer(session, None)
info = oidconsumer.complete(self.flatten_args(request), return_to)
display_identifier = info.getDisplayIdentifier()
if info.status == consumer.FAILURE and display_identifier:
return 'OpenID Error: %s' % display_identifier
elif info.status == consumer.CANCEL:
return 'Cancelled'
elif info.status == consumer.SUCCESS:
# Success happened!
sreg_resp = sreg.SRegResponse.fromSuccessResponse(info)
teams_resp = teams.TeamsResponse.fromSuccessResponse(info)
user = {'fullName': '', 'userName': '', 'email': '',
'groups': []}
if not sreg_resp:
return 'No sreg?'
user['userName'] = sreg_resp.get('nickname')
user['fullName'] = sreg_resp.get('fullname')
user['email'] = sreg_resp.get('email')
if teams_resp:
user['groups'] = frozenset(teams_resp.teams)
cookie, s = self.sessions.new(user['userName'], user)
request.addCookie(COOKIE_KEY, cookie, expires=s.getExpiration(),
path="/")
request.received_cookies = {COOKIE_KEY: cookie}
request.redirect(self.root_url)
return 'DONE'
else:
return 'Strange state: %s' % info.status
try:
request.finish()
except RuntimeError:
# this occurs when the client has already disconnected; ignore
# it (see #2027)
log.msg("http client disconnected before results were sent")
class OpenIDHandle(object):
def __init__(self, root_url):
self.root_url = root_url
self.isLeaf = True
self.sessions = SessionManager()
def flatten_args(self, request):
# Flatten args (twisted returns arrays). Just always take first
args = {}
for arg in request.args:
args[arg] = request.args.get(arg)[0]
return args
def render(self, request):
session = {}
return_to = self.root_url + '_openid_handle/'
oidconsumer = consumer.Consumer(session, None)
info = oidconsumer.complete(self.flatten_args(request), return_to)
display_identifier = info.getDisplayIdentifier()
if info.status == consumer.FAILURE and display_identifier:
return 'OpenID Error: %s' % display_identifier
elif info.status == consumer.CANCEL:
return 'Cancelled'
elif info.status == consumer.SUCCESS:
# Success happened!
sreg_resp = sreg.SRegResponse.fromSuccessResponse(info)
teams_resp = teams.TeamsResponse.fromSuccessResponse(info)
user = {'fullName': '', 'userName': '', 'email': '',
'groups': []}
if not sreg_resp:
return 'No sreg?'
user['userName'] = sreg_resp.get('nickname')
user['fullName'] = sreg_resp.get('fullname')
user['email'] = sreg_resp.get('email')
if teams_resp:
user['groups'] = frozenset(teams_resp.teams)
cookie, s = self.sessions.new(user['userName'], user)
request.addCookie(COOKIE_KEY, cookie, expires=s.getExpiration(),
path="/")
request.received_cookies = {COOKIE_KEY: cookie}
request.redirect(self.root_url)
return 'DONE'
else:
return 'Strange state: %s' % info.status
try:
request.finish()
except RuntimeError:
# this occurs when the client has already disconnected; ignore
# it (see #2027)
log.msg("http client disconnected before results were sent")
class Authz(object):
"""Decide who can do what."""
knownActions = [
# If you add a new action here, be sure to also update the documentation
# at docs/manual/cfg-statustargets.rst.
'view',
'gracefulShutdown',
'forceBuild',
'forceAllBuilds',
'pingBuilder',
'stopBuild',
'stopAllBuilds',
'cancelPendingBuild',
'cancelAllPendingBuilds',
'stopChange',
'cleanShutdown',
'showUsersPage',
'pauseSlave',
]
def __init__(self,
default_action=False,
auth=None,
useHttpHeader=False,
httpLoginUrl=False,
view=True,
**kwargs):
self.auth = auth
if auth:
assert IAuth.providedBy(auth)
self.useHttpHeader = useHttpHeader
self.httpLoginUrl = httpLoginUrl
self.config = dict( (a, default_action) for a in self.knownActions )
self.config['view'] = view
for act in self.knownActions:
if act in kwargs:
self.config[act] = kwargs[act]
del kwargs[act]
self.sessions = SessionManager()
if kwargs:
raise ValueError("unknown authorization action(s) " + ", ".join(kwargs.keys()))
def session(self, request):
if COOKIE_KEY in request.received_cookies:
cookie = request.received_cookies[COOKIE_KEY]
return self.sessions.get(cookie)
return None
def authenticated(self, request):
if self.useHttpHeader:
return request.getUser() != ''
return self.session(request) != None
def getUserInfo(self, user):
if self.useHttpHeader:
return dict(userName=user, fullName=user, email=user, groups=[ user ])
s = self.sessions.getUser(user)
if s:
return s.infos
def getUsername(self, request):
"""Get the userid of the user"""
if self.useHttpHeader:
return request.getUser()
s = self.session(request)
if s:
return s.user
return request.args.get("username", ["<unknown>"])[0]
def getUsernameHTML(self, request):
"""Get the user formatted in html (with possible link to email)"""
if self.useHttpHeader:
return request.getUser()
s = self.session(request)
if s:
return s.userInfosHTML()
return "not authenticated?!"
def getUsernameFull(self, request):
"""Get the full username as fullname <email>"""
if self.useHttpHeader:
return request.getUser()
s = self.session(request)
if s:
return "%(fullName)s <%(email)s>" % (s.infos)
else:
return request.args.get("username", ["<unknown>"])[0]
def getPassword(self, request):
if self.useHttpHeader:
return request.getPassword()
return request.args.get("passwd", ["<no-password>"])[0]
def advertiseAction(self, action, request):
"""Should the web interface even show the form for ACTION?"""
if action not in self.knownActions:
raise KeyError("unknown action")
cfg = self.config.get(action, False)
if cfg:
if cfg == 'auth' or callable(cfg):
return self.authenticated(request)
return cfg
def actionAllowed(self, action, request, *args):
"""Is this ACTION allowed, given this http REQUEST?"""
if action not in self.knownActions:
raise KeyError("unknown action")
cfg = self.config.get(action, False)
if cfg:
if cfg == 'auth' or callable(cfg):
if not self.auth:
return defer.succeed(False)
def check_authenticate(res):
if callable(cfg) and not cfg(self.getUsername(request), *args):
return False
return True
# retain old behaviour, if people have scripts
# without cookie support
passwd = self.getPassword(request)
if self.authenticated(request):
return defer.succeed(check_authenticate(None))
elif passwd != "<no-password>":
def check_login(cookie):
ret = False
if type(cookie) is str:
ret = check_authenticate(None)
self.sessions.remove(cookie)
return ret
d = self.login(request)
d.addBoth(check_login)
return d
else:
return defer.succeed(False)
return defer.succeed(cfg)
def login(self, request):
"""Login one user, and return session cookie"""
if self.authenticated(request):
return defer.succeed(False)
user = request.args.get("username", ["<unknown>"])[0]
passwd = request.args.get("passwd", ["<no-password>"])[0]
if user == "<unknown>" or passwd == "<no-password>":
return defer.succeed(False)
if not self.auth:
return defer.succeed(False)
d = defer.maybeDeferred(self.auth.authenticate, user, passwd)
def check_authenticate(res):
if res:
cookie, s = self.sessions.new(user, self.auth.getUserInfo(user))
request.addCookie(COOKIE_KEY, cookie, expires=s.getExpiration(),path="/")
request.received_cookies = {COOKIE_KEY:cookie}
return cookie
else:
return False
d.addBoth(check_authenticate)
return d
def logout(self, request):
if COOKIE_KEY in request.received_cookies:
cookie = request.received_cookies[COOKIE_KEY]
self.sessions.remove(cookie)
class GoogleOAuth2AuthZ(object):
"""Decide who can do what."""
def __init__(self, url, client_id, client_secret, root_uri, **kwargs):
unknown = []
self.permissions = {}
for group in kwargs:
self.permissions[group] = []
for perm in kwargs[group]:
if perm in Authz.knownActions:
self.permissions[group].append(perm)
else:
unknown.append(perm)
self.url = url
self.client_id = client_id
self.client_secret = client_secret
self.root_uri = root_uri
self.sessions = SessionManager()
self.init_childs = False
# This makes us get self.master as per baseweb.py:472
self.auth = self
# This makes the login form be a link
self.useHttpHeader = True
self.httpLoginUrl = "/_google_oauth2_handler"
if unknown != []:
raise ValueError("Unknown authorization action(s) " + ", ".join(unknown))
def session(self, request):
if COOKIE_KEY in request.received_cookies:
cookie = request.received_cookies[COOKIE_KEY]
return self.sessions.get(cookie)
return None
def authenticated(self, request):
return self.session(request) is not None
def getUserInfo(self, user):
s = self.sessions.getUser(user)
if s:
return s.infos
return None
def getUsername(self, request):
"""Get the userid of the user"""
s = self.session(request)
if s:
return s.user
return "<unknown>"
def getUsernameHTML(self, request):
"""Get the user formatted in html (with possible link to email)"""
s = self.session(request)
if s:
return s.userInfosHTML()
return "not authenticated?!"
def getUsernameFull(self, request):
"""Get the full username as fullname <email>"""
s = self.session(request)
if s:
return "%(fullName)s <%(email)s>" % (s.infos)
else:
return request.args.get("username", ["<unknown>"])[0]
def create_childs(self, request):
# We need to create the childs with this workaround
# because we won't get the site information prior
# to handling the very first request
if not self.init_childs:
self.init_childs = True
request.site.resource.putChild("_google_oauth2_handler", GoogleOAuth2Handler(self))
def shouldAllowAction(self, action, request):
self.create_childs(request)
if action in self.permissions.get("all", []):
return True
s = self.getUsername(request)
if s and not s == "<unknown>":
if action in self.permissions.get("authenticated", []):
return True
return False
def advertiseAction(self, action, request):
"""Should the web interface even show the form for ACTION?"""
if action not in Authz.knownActions:
raise KeyError("unknown action")
return self.shouldAllowAction(action, request)
def actionAllowed(self, action, request, *_):
"""Is this ACTION allowed, given this http REQUEST?"""
if action not in Authz.knownActions:
raise KeyError("unknown action")
return defer.succeed(self.shouldAllowAction(action, request))
def logout(self, request):
if COOKIE_KEY in request.received_cookies:
cookie = request.received_cookies[COOKIE_KEY]
self.sessions.remove(cookie)
def getLoginURL(self):
oauth_params = {
"redirect_uri": self.root_uri + "_google_oauth2_handler",
"client_id": self.client_id,
"response_type": "code",
"scope": INFOSCOPE,
"access_type": "offline",
}
return "%s?%s" % (AUTHURI, urlencode(oauth_params))
class GithubOAuth2AuthZ(object):
"""Decide who can do what."""
def __init__(self, url, client_id, client_secret, root_uri, **kwargs):
unknown = []
self.permissions = {}
for group in kwargs:
self.permissions[group] = []
for perm in kwargs[group]:
if perm in Authz.knownActions:
self.permissions[group].append(perm)
else:
unknown.append(perm)
self.url = url
self.client_id = client_id
self.client_secret = client_secret
self.root_uri = root_uri
self.sessions = SessionManager()
self.init_childs = False
# This makes us get self.master as per baseweb.py:472
self.auth = self
# This makes the login form be a link
self.useHttpHeader = True
self.httpLoginUrl = '/_github_oauth2_handler'
if unknown != []:
raise ValueError('Unknown authorization action(s) ' +
', '.join(unknown))
def session(self, request):
if COOKIE_KEY in request.received_cookies:
cookie = request.received_cookies[COOKIE_KEY]
return self.sessions.get(cookie)
return None
def authenticated(self, request):
return self.session(request) is not None
def getUserInfo(self, user):
s = self.sessions.getUser(user)
if s:
return s.infos
return None
def getUsername(self, request):
"""Get the userid of the user"""
s = self.session(request)
if s:
return s.user
return '<unknown>'
def getUsernameHTML(self, request):
"""Get the user formatted in html (with possible link to email)"""
s = self.session(request)
if s:
return s.userInfosHTML()
return "not authenticated?!"
def getUsernameFull(self, request):
"""Get the full username as fullname <email>"""
s = self.session(request)
if s:
return "%(fullName)s <%(email)s>" % (s.infos)
else:
return request.args.get("username", ["<unknown>"])[0]
def create_childs(self, request):
# We need to create the childs with this workaround
# because we won't get the site information prior
# to handling the very first request
if not self.init_childs:
self.init_childs = True
request.site.resource.putChild('_github_oauth2_handler', GithubOAuth2Handler(self))
def shouldAllowAction(self, action, request):
self.create_childs(request)
if action in self.permissions.get('all', []):
return True
s = self.getUsername(request)
if s and not s == '<unknown>':
if action in self.permissions.get('authenticated', []):
return True
return False
def advertiseAction(self, action, request):
"""Should the web interface even show the form for ACTION?"""
if action not in Authz.knownActions:
raise KeyError("unknown action")
return self.shouldAllowAction(action, request)
def actionAllowed(self, action, request, *_):
"""Is this ACTION allowed, given this http REQUEST?"""
if action not in Authz.knownActions:
raise KeyError("unknown action")
return defer.succeed(self.shouldAllowAction(action, request))
def logout(self, request):
if COOKIE_KEY in request.received_cookies:
cookie = request.received_cookies[COOKIE_KEY]
self.sessions.remove(cookie)
def getLoginURL(self):
oauth_params = {'redirect_uri': self.root_uri + '_github_oauth2_handler',
'client_id': self.client_id,
'response_type': 'code',
'access_type': 'offline'
}
return "%s?%s" % (AUTHURI, urlencode(oauth_params))
class Authz(object):
"""Decide who can do what."""
knownActions = [
# If you add a new action here, be sure to also update the documentation
# at docs/cfg-statustargets.texinfo
'gracefulShutdown',
'forceBuild',
'forceAllBuilds',
'pingBuilder',
'stopBuild',
'stopAllBuilds',
'cancelPendingBuild',
'stopChange',
'cleanShutdown',
'showUsersPage',
]
def __init__(self,
default_action=False,
auth=None,
useHttpHeader=False,
httpLoginUrl=False,
**kwargs):
self.auth = auth
if auth:
assert IAuth.providedBy(auth)
self.useHttpHeader = useHttpHeader
self.httpLoginUrl = httpLoginUrl
self.config = dict((a, default_action) for a in self.knownActions)
for act in self.knownActions:
if act in kwargs:
self.config[act] = kwargs[act]
del kwargs[act]
self.sessions = SessionManager()
if kwargs:
raise ValueError("unknown authorization action(s) " +
", ".join(kwargs.keys()))
def session(self, request):
if COOKIE_KEY in request.received_cookies:
cookie = request.received_cookies[COOKIE_KEY]
return self.sessions.get(cookie)
return None
def authenticated(self, request):
if self.useHttpHeader:
return request.getUser() != ''
return self.session(request) != None
def getUserInfo(self, user):
if self.useHttpHeader:
return dict(userName=user,
fullName=user,
email=user,
groups=[user])
s = self.sessions.getUser(user)
if s:
return s.infos
def getUsername(self, request):
"""Get the userid of the user"""
if self.useHttpHeader:
return request.getUser()
s = self.session(request)
if s:
return s.user
return request.args.get("username", ["<unknown>"])[0]
def getUsernameHTML(self, request):
"""Get the user formatated in html (with possible link to email)"""
if self.useHttpHeader:
return request.getUser()
s = self.session(request)
if s:
return s.userInfosHTML()
return "not authenticated?!"
def getUsernameFull(self, request):
"""Get the full username as fullname <email>"""
if self.useHttpHeader:
return request.getUser()
s = self.session(request)
if s:
return "%(fullName)s <%(email)s>" % (s.infos)
else:
return request.args.get("username", ["<unknown>"])[0]
def getPassword(self, request):
if self.useHttpHeader:
return request.getPassword()
return request.args.get("passwd", ["<no-password>"])[0]
def advertiseAction(self, action, request):
"""Should the web interface even show the form for ACTION?"""
if action not in self.knownActions:
raise KeyError("unknown action")
cfg = self.config.get(action, False)
if cfg:
if cfg == 'auth' or callable(cfg):
return self.authenticated(request)
return cfg
def actionAllowed(self, action, request, *args):
"""Is this ACTION allowed, given this http REQUEST?"""
if action not in self.knownActions:
raise KeyError("unknown action")
cfg = self.config.get(action, False)
if cfg:
if cfg == 'auth' or callable(cfg):
if not self.auth:
return defer.succeed(False)
def check_authenticate(res):
if callable(cfg) and not cfg(self.getUsername(request), *
args):
return False
return True
# retain old behaviour, if people have scripts
# without cookie support
passwd = self.getPassword(request)
if self.authenticated(request):
return defer.succeed(check_authenticate(None))
elif passwd != "<no-password>":
def check_login(cookie):
ret = False
if type(cookie) is str:
ret = check_authenticate(None)
self.sessions.remove(cookie)
return ret
d = self.login(request)
d.addBoth(check_login)
return d
else:
return defer.succeed(False)
return defer.succeed(cfg)
def login(self, request):
"""Login one user, and return session cookie"""
if self.authenticated(request):
return defer.succeed(False)
user = request.args.get("username", ["<unknown>"])[0]
passwd = request.args.get("passwd", ["<no-password>"])[0]
if user == "<unknown>" or passwd == "<no-password>":
return defer.succeed(False)
if not self.auth:
return defer.succeed(False)
d = defer.maybeDeferred(self.auth.authenticate, user, passwd)
def check_authenticate(res):
if res:
cookie, s = self.sessions.new(user,
self.auth.getUserInfo(user))
request.addCookie(COOKIE_KEY,
cookie,
s.getExpiration(),
path="/")
request.received_cookies = {COOKIE_KEY: cookie}
return cookie
else:
return False
d.addBoth(check_authenticate)
return d
def logout(self, request):
if COOKIE_KEY in request.received_cookies:
cookie = request.received_cookies[COOKIE_KEY]
self.sessions.remove(cookie)
def __init__(self, root_url):
self.root_url = root_url
self.isLeaf = True
self.sessions = SessionManager()
class OpenIDAuthz(object):
"""Decide who can do what."""
def __init__(self,
openid_provider,
check_certificate=True,
**kwargs):
unknown = []
self.permissions = {}
for group in kwargs:
# Work around the limitations of python identifiers:
# python identifiers don't support dashes, while unix group names do
# This is admittedly a hack, but if you have a better way: a PR is welcome
group = group.replace('_DASH_', '-')
self.permissions[group] = []
for perm in kwargs[group]:
if perm in Authz.knownActions:
self.permissions[group].append(perm)
else:
unknown.append(perm)
self.openid_provider = openid_provider
self.sessions = SessionManager()
self.init_childs = False
if not check_certificate:
setDefaultFetcher(Urllib2Fetcher())
# This makes us get self.master as per baseweb.py:472
self.auth = self
# This makes the login form be a link
self.useHttpHeader = True
if unknown != []:
raise ValueError('Unknown authorization action(s) ' +
', '.join(unknown))
def session(self, request):
if COOKIE_KEY in request.received_cookies:
cookie = request.received_cookies[COOKIE_KEY]
return self.sessions.get(cookie)
return None
def authenticated(self, request):
return self.session(request) is not None
def getUserInfo(self, user):
s = self.sessions.getUser(user)
if s:
return s.infos
return None
def getUsername(self, request):
"""Get the userid of the user"""
s = self.session(request)
if s:
return s.user
return '<unknown>'
def getUsernameHTML(self, request):
"""Get the user formatted in html (with possible link to email)"""
s = self.session(request)
if s:
return s.userInfosHTML().decode('UTF-8')
return "not authenticated?!"
def getUsernameFull(self, request):
"""Get the full username as fullname <email>"""
s = self.session(request)
if s:
return "%(fullName)s <%(email)s>" % (s.infos)
else:
return request.args.get("username", ["<unknown>"])[0]
def getPassword(self, request):
return '<no-password>'
def create_childs(self, request):
# We need to create the childs with this workaround
# because we won't get the site information prior
# to handling the very first request
if not self.init_childs:
self.init_childs = True
status = request.site.buildbot_service.master.status
root = status.getBuildbotURL()
self.httpLoginUrl = '%s/_openid_start/' % root
request.site.resource.putChild('_openid_start',
OpenIDStart(self.permissions.keys(),
self.openid_provider,
root))
request.site.resource.putChild('_openid_handle',
OpenIDHandle(root))
def shouldAllowAction(self, action, request):
self.create_childs(request)
if action in self.permissions.get('_all_', []):
return True
s = self.sessions.getUser(request)
if s:
if action in self.permissions.get('_authenticated_', []):
return True
for group in s.infos['groups']:
if action in self.permissions.get(group, []):
return True
return False
def advertiseAction(self, action, request):
"""Should the web interface even show the form for ACTION?"""
if action not in Authz.knownActions:
raise KeyError("unknown action")
return self.shouldAllowAction(action, request)
def actionAllowed(self, action, request, *args):
"""Is this ACTION allowed, given this http REQUEST?"""
if action not in Authz.knownActions:
raise KeyError("unknown action")
return defer.succeed(self.shouldAllowAction(action, request))
def logout(self, request):
if COOKIE_KEY in request.received_cookies:
cookie = request.received_cookies[COOKIE_KEY]
self.sessions.remove(cookie)
def __init__(self, root_url):
self.root_url = root_url
self.isLeaf = True
self.sessions = SessionManager()
class OpenIDAuthz(object):
"""Decide who can do what."""
def __init__(self,
openid_provider,
check_certificate=True,
**kwargs):
unknown = []
self.permissions = {}
for group in kwargs:
self.permissions[group] = []
for perm in kwargs[group]:
if perm in Authz.knownActions:
self.permissions[group].append(perm)
else:
unknown.append(perm)
self.openid_provider = openid_provider
self.sessions = SessionManager()
self.init_childs = False
if not check_certificate:
setDefaultFetcher(Urllib2Fetcher())
# This makes us get self.master as per baseweb.py:472
self.auth = self
# This makes the login form be a link
self.useHttpHeader = True
self.httpLoginUrl = '/_openid_start/'
if unknown != []:
raise ValueError('Unknown authorization action(s) ' +
', '.join(unknown))
def session(self, request):
if COOKIE_KEY in request.received_cookies:
cookie = request.received_cookies[COOKIE_KEY]
return self.sessions.get(cookie)
return None
def authenticated(self, request):
return self.session(request) is not None
def getUserInfo(self, user):
s = self.sessions.getUser(user)
if s:
return s.infos
return None
def getUsername(self, request):
"""Get the userid of the user"""
s = self.session(request)
if s:
return s.user
return '<unknown>'
def getUsernameHTML(self, request):
"""Get the user formatted in html (with possible link to email)"""
s = self.session(request)
if s:
return s.userInfosHTML()
return "not authenticated?!"
def getUsernameFull(self, request):
"""Get the full username as fullname <email>"""
s = self.session(request)
if s:
return "%(fullName)s <%(email)s>" % (s.infos)
else:
return request.args.get("username", ["<unknown>"])[0]
def getPassword(self, request):
return '<no-password>'
def create_childs(self, request):
# We need to create the childs with this workaround
# because we won't get the site information prior
# to handling the very first request
if not self.init_childs:
self.init_childs = True
status = request.site.buildbot_service.master.status
root = status.getBuildbotURL()
request.site.resource.putChild('_openid_start',
OpenIDStart(self.permissions.keys(),
self.openid_provider,
root))
request.site.resource.putChild('_openid_handle',
OpenIDHandle(root))
def shouldAllowAction(self, action, request):
self.create_childs(request)
if action in self.permissions.get('_all_', []):
return True
s = self.sessions.getUser(request)
if s:
if action in self.permissions.get('_authenticated_', []):
return True
for group in s.infos['groups']:
if action in self.permissions.get(group, []):
return True
return False
def advertiseAction(self, action, request):
"""Should the web interface even show the form for ACTION?"""
if action not in Authz.knownActions:
raise KeyError("unknown action")
return self.shouldAllowAction(action, request)
def actionAllowed(self, action, request, *args):
"""Is this ACTION allowed, given this http REQUEST?"""
if action not in Authz.knownActions:
raise KeyError("unknown action")
return defer.succeed(self.shouldAllowAction(action, request))
def logout(self, request):
if COOKIE_KEY in request.received_cookies:
cookie = request.received_cookies[COOKIE_KEY]
self.sessions.remove(cookie)
