You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by br...@apache.org on 2014/03/25 15:27:38 UTC

[40/50] git commit: [#6701] Refactored auth check

[#6701] Refactored auth check

Signed-off-by: Cory Johns <cj...@slashdotmedia.com>


Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/6cffed91
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/6cffed91
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/6cffed91

Branch: refs/heads/db/5995
Commit: 6cffed916fb2a96ceda8c179411cc49a8281cf0f
Parents: ca6dd59
Author: Cory Johns <cj...@slashdotmedia.com>
Authored: Tue Mar 18 18:47:24 2014 +0000
Committer: Cory Johns <cj...@slashdotmedia.com>
Committed: Thu Mar 20 18:43:45 2014 +0000

----------------------------------------------------------------------
 scripts/ApacheAccessHandler.py | 66 +++++++++++++++++--------------------
 1 file changed, 30 insertions(+), 36 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/allura/blob/6cffed91/scripts/ApacheAccessHandler.py
----------------------------------------------------------------------
diff --git a/scripts/ApacheAccessHandler.py b/scripts/ApacheAccessHandler.py
index 0eeab63..5f2ffce 100644
--- a/scripts/ApacheAccessHandler.py
+++ b/scripts/ApacheAccessHandler.py
@@ -64,6 +64,8 @@ def mangle(path):
     /SCM/project.neighborhood/a/b/c
     '''
     parts = [p for p in path.split(os.path.sep) if p]
+    if len(parts) < 4:
+        return None
     scm, nbhd, proj, rest = parts[0], parts[1], parts[2], parts[3:]
     parts = ['/SCM/%s.%s' % (proj, nbhd)] + rest
     return '/'.join(parts)
@@ -91,60 +93,52 @@ def get_permission_name(req_path, req_query, req_method):
         return 'allow_write'  # TODO: Differentiate reads and write for Hg
 
 
-def handler(req):
-    req.add_common_vars()
-    req_path = str(req.parsed_uri[apache.URI_PATH])
-    req_query = str(req.parsed_uri[apache.URI_QUERY])
+def check_repo_path(req):
+    repo_path = mangle(str(req.parsed_uri[apache.URI_PATH]))
+    return repo_path is not None
 
-    req_passwd = req.get_basic_auth_pw()
-    req_user = req.user
-    req_method = req.method
 
-    log(req, "PATH: %s QUERY: %s METHOD: %s" % (req_path, req_query, req_method))
+def check_authentication(req):
+    log(req, "USER: "+req.user)
+    return ldap_auth(req, req.user, req.get_basic_auth_pw())
 
-    try:
-        params = {'repo_path': mangle(req_path)}
-    except:
-        return apache.HTTP_NOT_FOUND
 
-    if req_user:
-        log(req, "USER: "+req_user)
-        params['username'] = req_user
-        if not ldap_auth(req, req_user, req_passwd):
-            return apache.HTTP_UNAUTHORIZED
-            #return apache.HTTP_FORBIDDEN
-        log(req, "USER: "+req_user)
-    else:
-        log(req, "USER: Anonymous")
-
-    url = req.get_options().get('ALLURA_PERM_URL', 'http://127.0.0.1:8080/auth/repo_permissions')
-    r = requests.get(url, params=params)
+def check_permissions(req):
+    req_path = str(req.parsed_uri[apache.URI_PATH])
+    req_query = str(req.parsed_uri[apache.URI_QUERY])
+    perm_url = req.get_options().get('ALLURA_PERM_URL', 'http://127.0.0.1:8080/auth/repo_permissions')
+    r = requests.get(perm_url, params={'username': req.user, 'repo_path': mangle(req_path)})
     if r.status_code != 200:
         log(req, "repo_permissions return error (%d)" % r.status_code)
-        return apache.HTTP_FORBIDDEN
+        return False
 
     try:
         cred = json.loads(r.content)
     except Exception as ex:
         log(req, "error decoding JSON %s %s" % (r.headers['content-type'], ex))
-        return apache.HTTP_FORBIDDEN
+        return False
 
-    permission = get_permission_name(req_path, req_method)
+    permission = get_permission_name(req_path, req_query, req.method)
     authorized = cred.get(permission, False)
 
     log(req, "%s -> %s -> %s -> authorized:%s" % (r.url, cred, permission, authorized))
+    return authorized
 
-    if authorized:
-        log(req, "Request ACCEPTED")
-        return apache.OK
-    elif req_user:
-        log(req, "Request FORBIDDEN")
-        return apache.HTTP_UNAUTHORIZED
-        #return apache.HTTP_FORBIDDEN
-    else:
-        log(req, "Request UNAUTHORIZED")
+
+def handler(req):
+    req.add_common_vars()
+
+    if not check_repo_path(req):
+        return apache.HTTP_NOT_FOUND
+
+    if req.user and not check_authentication(req):
         return apache.HTTP_UNAUTHORIZED
 
+    if not check_permissions(req):
+        return apache.HTTP_FORBIDDEN
+
+    return apache.OK
+
 
 def accesshandler(req):
     log(req, "AccessHandler")