def _auth_decorator(self, *args, **kwargs):
# Check Authentication
# Run through each registered and enabled auth function
is_consumer = False
registered_auth_functions = [check_preauthenticated,
password_authentication,
user_cert_authentication,
consumer_cert_authentication,
oauth_authentication]
user_authenticated = False
for authenticate_user in registered_auth_functions:
if authenticate_user == oauth_authentication:
userid, is_consumer = authenticate_user()
else:
userid = authenticate_user()
if userid is not None:
user_authenticated = True
if authenticate_user == consumer_cert_authentication:
is_consumer = True
break
if not user_authenticated:
raise PulpCodedAuthenticationException(error_code=error_codes.PLP0025)
# Check Authorization
principal_manager = factory.principal_manager()
user_query_manager = factory.user_query_manager()
if super_user_only and not user_query_manager.is_superuser(userid):
raise PulpCodedAuthenticationException(error_code=error_codes.PLP0026, user=userid,
operation=OPERATION_NAMES[operation])
# if the operation is None, don't check authorization
elif operation is not None:
if is_consumer:
if is_consumer_authorized(http.resource_path(), userid, operation):
# set default principal = SYSTEM
principal_manager.set_principal()
else:
raise PulpCodedAuthenticationException(error_code=error_codes.PLP0026,
user=userid,
operation=OPERATION_NAMES[operation])
elif user_query_manager.is_authorized(http.resource_path(), userid, operation):
user = user_query_manager.find_by_login(userid)
principal_manager.set_principal(user)
else:
raise PulpCodedAuthenticationException(error_code=error_codes.PLP0026,
user=userid,
operation=OPERATION_NAMES[operation])
# Authentication and authorization succeeded. Call method and then clear principal.
value = method(self, *args, **kwargs)
principal_manager.clear_principal()
return value
def _auth_decorator(self, *args, **kwargs):
# Check Authentication
# Run through each registered and enabled auth function
is_consumer = False
registered_auth_functions = [
check_preauthenticated, password_authentication,
user_cert_authentication, consumer_cert_authentication,
oauth_authentication
]
user_authenticated = False
for authenticate_user in registered_auth_functions:
if authenticate_user == oauth_authentication:
userid, is_consumer = authenticate_user()
else:
userid = authenticate_user()
if userid is not None:
user_authenticated = True
if authenticate_user == consumer_cert_authentication:
is_consumer = True
break
if not user_authenticated:
raise AuthenticationFailed(auth_utils.CODE_FAILED)
# Check Authorization
principal_manager = factory.principal_manager()
user_query_manager = factory.user_query_manager()
if super_user_only and not user_query_manager.is_superuser(userid):
raise AuthenticationFailed(auth_utils.CODE_PERMISSION)
# if the operation is None, don't check authorization
elif operation is not None:
if is_consumer:
if is_consumer_authorized(http.resource_path(), userid,
operation):
# set default principal = SYSTEM
principal_manager.set_principal()
else:
raise AuthenticationFailed(auth_utils.CODE_PERMISSION)
elif user_query_manager.is_authorized(http.resource_path(),
userid, operation):
user = user_query_manager.find_by_login(userid)
principal_manager.set_principal(user)
else:
raise AuthenticationFailed(auth_utils.CODE_PERMISSION)
# Authentication and authorization succeeded. Call method and then clear principal.
value = method(self, *args, **kwargs)
principal_manager.clear_principal()
return value
def _verify_auth(self, operation, super_user_only, method, *args, **kwargs):
"""
Internal method for checking authentication and authorization. This code
is kept outside of the decorator which calls it so that it can be mocked.
This allows for the decorator itself which calls here to have assertions
made about the operation and super_user values set in the view code.
An operation of None means not to check authorization; only check
authentication.
The super_user_only flag set to True means that only members of the
built in SuperUsers role are authorized.
:type operation: int or None
:param operation: The operation a user needs permission for, or None to
skip authorization.
:type super_user_only: bool
:param super_user_only: Only authorize a user if they are a super user.
"""
# Check Authentication
# Run through each registered and enabled auth function
is_consumer = False
registered_auth_functions = [
check_preauthenticated, password_authentication,
user_cert_authentication, consumer_cert_authentication,
oauth_authentication
]
user_authenticated = False
for authenticate_user in registered_auth_functions:
if authenticate_user == oauth_authentication:
userid, is_consumer = authenticate_user()
else:
userid = authenticate_user()
if userid is not None:
user_authenticated = True
if authenticate_user == consumer_cert_authentication:
is_consumer = True
break
if not user_authenticated:
raise PulpCodedAuthenticationException(error_code=error_codes.PLP0025)
# Check Authorization
principal_manager = factory.principal_manager()
user_query_manager = factory.user_query_manager()
if super_user_only and not user_query_manager.is_superuser(userid):
raise PulpCodedAuthenticationException(
error_code=error_codes.PLP0026,
user=userid,
operation=OPERATION_NAMES[operation])
# if the operation is None, don't check authorization
elif operation is not None:
if is_consumer:
if is_consumer_authorized(http.resource_path(), userid, operation):
# set default principal = SYSTEM
principal_manager.set_principal()
else:
raise PulpCodedAuthenticationException(
error_code=error_codes.PLP0026,
user=userid,
operation=OPERATION_NAMES[operation])
elif user_query_manager.is_authorized(http.resource_path(), userid,
operation):
user = user_query_manager.find_by_login(userid)
principal_manager.set_principal(user)
else:
raise PulpCodedAuthenticationException(
error_code=error_codes.PLP0026,
user=userid,
operation=OPERATION_NAMES[operation])
# Authentication and authorization succeeded. Call method and then clear principal.
value = method(self, *args, **kwargs)
principal_manager.clear_principal()
return value
def _auth_decorator(self, *args, **kwargs):
# XXX jesus h christ: is this some god awful shit
# please, please refactor this into ... something ... anything!
user = None
is_consumer = False
permissions = {'/v2/consumers/' : [0, 1]}
# first, try username:password authentication
username, password = http.username_password()
if username is not None:
user = check_username_password(username, password)
if user is None:
return self.unauthorized(user_pass_fail_msg)
# second, try certificate authentication
if user is None:
cert_pem = http.ssl_client_cert()
if cert_pem is not None:
# first, check user certificate
user = check_user_cert(cert_pem)
if user is None:
# second, check consumer certificate
# This is temporary solution to solve authorization failure for consumers
# because of no associated users. We would likely be going with a similar approach
# for v2 with static permissions for consumers instead of associates users. Once we
# have users and permissions flushed out for v2, this code will look much better.
# user = check_consumer_cert(cert_pem)
user = check_consumer_cert_no_user(cert_pem)
if user:
is_consumer = True
consumer_base_url = '/v2/consumers/%s' % user + '/'
permissions[consumer_base_url] = [0, 1, 2, 3, 4]
# third, check oauth credentials
if user is None:
auth = http.http_authorization()
username = http.request_info('HTTP_PULP_USER')
if None in (auth, username):
if cert_pem is not None:
return self.unauthorized(cert_fail_msg)
else:
meth = http.request_info('REQUEST_METHOD')
url = http.request_url()
query = http.request_info('QUERY_STRING')
user = check_oauth(username, meth, url, auth, query)
if user is None:
return self.unauthorized(oauth_fail_msg)
# authentication has failed
if user is None:
return self.unauthorized(authen_fail_msg)
# procedure to check consumer permissions - part of the temporary solution described above
def is_consumer_authorized(resource, consumer, operation):
if consumer_base_url in resource and operation in permissions[consumer_base_url]:
return True
else:
return False
# forth, check authorization
user_query_manager = factory.user_query_manager()
if super_user_only and not user_query_manager.is_superuser(user['login']):
return self.unauthorized(author_fail_msg)
# if the operation is None, don't check authorization
elif operation is not None:
if is_consumer and is_consumer_authorized(http.resource_path(), user, operation):
value = method(self, *args, **kwargs)
clear_principal()
return value
elif user_query_manager.is_authorized(http.resource_path(), user['login'], operation):
pass
else:
return self.unauthorized(author_fail_msg)
# everything ok, manage the principal and call the method
set_principal(user)
value = method(self, *args, **kwargs)
clear_principal()
return value
def _verify_auth(self, operation, super_user_only, method, *args, **kwargs):
"""
Internal method for checking authentication and authorization. This code
is kept outside of the decorator which calls it so that it can be mocked.
This allows for the decorator itself which calls here to have assertions
made about the operation and super_user values set in the view code.
An operation of None means not to check authorization; only check
authentication.
The super_user_only flag set to True means that only members of the
built in SuperUsers role are authorized.
:type operation: int or None
:param operation: The operation a user needs permission for, or None to
skip authorization.
:type super_user_only: bool
:param super_user_only: Only authorize a user if they are a super user.
"""
# Check Authentication
# Run through each registered and enabled auth function
is_consumer = False
registered_auth_functions = [check_preauthenticated,
password_authentication,
user_cert_authentication,
consumer_cert_authentication,
oauth_authentication]
user_authenticated = False
for authenticate_user in registered_auth_functions:
if authenticate_user == oauth_authentication:
userid, is_consumer = authenticate_user()
else:
userid = authenticate_user()
if userid is not None:
user_authenticated = True
if authenticate_user == consumer_cert_authentication:
is_consumer = True
break
if not user_authenticated:
raise PulpCodedAuthenticationException(error_code=error_codes.PLP0025)
# Check Authorization
principal_manager = factory.principal_manager()
user_query_manager = factory.user_query_manager()
if super_user_only and not user_query_manager.is_superuser(userid):
raise PulpCodedAuthenticationException(error_code=error_codes.PLP0026, user=userid,
operation=OPERATION_NAMES[operation])
# if the operation is None, don't check authorization
elif operation is not None:
if is_consumer:
if is_consumer_authorized(http.resource_path(), userid, operation):
# set default principal = SYSTEM
principal_manager.set_principal()
else:
raise PulpCodedAuthenticationException(error_code=error_codes.PLP0026,
user=userid,
operation=OPERATION_NAMES[operation])
elif user_query_manager.is_authorized(http.resource_path(), userid, operation):
user = user_query_manager.find_by_login(userid)
principal_manager.set_principal(user)
else:
raise PulpCodedAuthenticationException(error_code=error_codes.PLP0026,
user=userid,
operation=OPERATION_NAMES[operation])
# Authentication and authorization succeeded. Call method and then clear principal.
value = method(self, *args, **kwargs)
principal_manager.clear_principal()
return value
def _auth_required(method):
"""
Closure method for decorator.
"""
@wraps(method)
def _auth_decorator(self, *args, **kwargs):
# Check Authentication
# Run through each registered and enabled auth function
is_consumer = False
registered_auth_functions = [check_preauthenticated,
password_authentication,
user_cert_authentication,
consumer_cert_authentication,
oauth_authentication]
user_authenticated = False
for authenticate_user in registered_auth_functions:
try:
if authenticate_user == oauth_authentication:
userid, is_consumer = authenticate_user()
else:
userid = authenticate_user()
except AuthenticationFailed, ex:
return self.unauthorized(ex.msg)
if userid is not None:
user_authenticated = True
if authenticate_user == consumer_cert_authentication:
is_consumer = True
break
if not user_authenticated:
return self.unauthorized(AUTHEN_FAIL_MSG)
# Check Authorization
principal_manager = factory.principal_manager()
user_query_manager = factory.user_query_manager()
if super_user_only and not user_query_manager.is_superuser(userid):
return self.unauthorized(AUTHOR_FAIL_MSG)
# if the operation is None, don't check authorization
elif operation is not None:
if is_consumer:
if is_consumer_authorized(http.resource_path(), userid, operation):
# set default principal = SYSTEM
principal_manager.set_principal()
else:
return self.unauthorized(AUTHOR_FAIL_MSG)
elif user_query_manager.is_authorized(http.resource_path(), userid, operation):
user = user_query_manager.find_by_login(userid)
principal_manager.set_principal(user)
else:
return self.unauthorized(AUTHOR_FAIL_MSG)
# Authentication and authorization succeeded. Call method and then clear principal.
value = method(self, *args, **kwargs)
principal_manager.clear_principal()
return value
