You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by jo...@apache.org on 2014/03/18 21:35:45 UTC

[2/4] git commit: [#6701] Refactored permission handling

[#6701] Refactored permission handling

Signed-off-by: Cory Johns <cj...@slashdotmedia.com>


Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/25dd9b47
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/25dd9b47
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/25dd9b47

Branch: refs/heads/cj/6701
Commit: 25dd9b47daab97ed11faacb32b56cb84138bf141
Parents: 5dfbdfc
Author: Cory Johns <cj...@slashdotmedia.com>
Authored: Tue Mar 18 16:28:30 2014 +0000
Committer: Cory Johns <cj...@slashdotmedia.com>
Committed: Tue Mar 18 16:28:30 2014 +0000

----------------------------------------------------------------------
 scripts/ApacheAccessHandler.py | 63 +++++++++++++++++--------------------
 1 file changed, 28 insertions(+), 35 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/25dd9b47/scripts/ApacheAccessHandler.py
----------------------------------------------------------------------
diff --git a/scripts/ApacheAccessHandler.py b/scripts/ApacheAccessHandler.py
index 99d05ef..0eeab63 100644
--- a/scripts/ApacheAccessHandler.py
+++ b/scripts/ApacheAccessHandler.py
@@ -28,7 +28,6 @@ Here is a quick example for your apache settings (assuming ProxyPass)
 
 
 from mod_python import apache
-import re
 import os
 # because urllib is not for humans
 import requests
@@ -70,6 +69,28 @@ def mangle(path):
     return '/'.join(parts)
 
 
+def get_permission_name(req_path, req_query, req_method):
+    """
+    Determine whether the request is trying to read or write,
+    and return the name of the appropriate permission to check.
+    """
+    if req_path.startswith('/git/'):
+        if req_path.endswith('/git-receive-pack') or 'service=git-receive-pack' in req_query:
+            return 'allow_write'
+        else:
+            return 'allow_read'
+    elif req_path.startswith('/svn/'):
+        if req_method in ('MKACTIVITY', 'PROPPATCH', 'PUT', 'CHECKOUT', 'MKCOL',
+                          'MOVE', 'COPY', 'DELETE', 'LOCK', 'UNLOCK', 'MERGE', 'POST'):
+            return 'allow_write'
+        elif req_method in ("GET", "PROPFIND", "OPTIONS", "REPORT"):
+            return 'allow_read'
+        else:
+            return 'allow_write'  # default to requiring write permission
+    elif req_path.startswith('/hg/'):
+        return 'allow_write'  # TODO: Differentiate reads and write for Hg
+
+
 def handler(req):
     req.add_common_vars()
     req_path = str(req.parsed_uri[apache.URI_PATH])
@@ -89,10 +110,10 @@ def handler(req):
     if req_user:
         log(req, "USER: "+req_user)
         params['username'] = req_user
-        if not ldap_auth(req, req.user, req_passwd):
+        if not ldap_auth(req, req_user, req_passwd):
             return apache.HTTP_UNAUTHORIZED
             #return apache.HTTP_FORBIDDEN
-        log(req, "USER: "+req.user)
+        log(req, "USER: "+req_user)
     else:
         log(req, "USER: Anonymous")
 
@@ -108,43 +129,15 @@ def handler(req):
         log(req, "error decoding JSON %s %s" % (r.headers['content-type'], ex))
         return apache.HTTP_FORBIDDEN
 
-    #
-    # Distinguish READ and WRITE
-    #
-    # TODO: HG
-    #
-
-    authorized = False
-    # GIT
-    if re.match('^/git/.*', req_path):
-        if re.match('.*/git-receive-pack', req_path) or re.match('service=git-receive-pack', req_query):
-            # Write access
-            log(req, "Request is GIT Auth Write")
-            authorized = cred.get('allow_write', False)
-        else:
-            # Read access
-            log(req, "Request is GIT Auth READ")
-            authorized = cred.get('allow_read', False)
-    # SVN
-    if re.match('^/svn/.*', req_path):
-        if req_method in ('MKACTIVITY', 'PROPPATCH', 'PUT', 'CHECKOUT', 'MKCOL',
-                          'MOVE', 'COPY', 'DELETE', 'LOCK', 'UNLOCK', 'MERGE', 'POST'):
-            # Write access
-            log(req, "Request is SVN Auth WRITE")
-            authorized = cred.get('allow_write', False)
-        elif req_method in ("GET", "PROPFIND", "OPTIONS", "REPORT"):
-            # Read access
-            log(req, "Request is SVN Auth READ")
-            authorized = cred.get('allow_read', False)
-        else:
-            log(req, "Request is SVN unknown %s" % req_method)
+    permission = get_permission_name(req_path, req_method)
+    authorized = cred.get(permission, False)
 
-    log(req, "%s -> %s -> authorized:%s" % (r.url, cred, authorized))
+    log(req, "%s -> %s -> %s -> authorized:%s" % (r.url, cred, permission, authorized))
 
     if authorized:
         log(req, "Request ACCEPTED")
         return apache.OK
-    elif req.user:
+    elif req_user:
         log(req, "Request FORBIDDEN")
         return apache.HTTP_UNAUTHORIZED
         #return apache.HTTP_FORBIDDEN