mirror of
https://github.com/ansible/awx.git
synced 2026-03-13 23:17:32 -02:30
Get users from the http_session, authorize job, workflow, and adhoc event access against RBAC
This commit is contained in:
Wayne Witzel III
@@ -25,7 +25,7 @@ from awx.main.task_engine import TaskEnhancer
|
|||||||
from awx.conf.license import LicenseForbids
|
from awx.conf.license import LicenseForbids
|
||||||
|
|
||||||
__all__ = ['get_user_queryset', 'check_user_access', 'check_user_access_with_errors',
|
__all__ = ['get_user_queryset', 'check_user_access', 'check_user_access_with_errors',
|
||||||
'user_accessible_objects',
|
'user_accessible_objects', 'consumer_access',
|
||||||
'user_admin_role', 'StateConflict',]
|
'user_admin_role', 'StateConflict',]
|
||||||
|
|
||||||
PERMISSION_TYPES = [
|
PERMISSION_TYPES = [
|
||||||
@@ -164,6 +164,17 @@ def check_superuser(func):
|
|||||||
return wrapper
|
return wrapper
|
||||||
|
|
||||||
|
|
||||||
|
def consumer_access(group_name):
|
||||||
|
'''
|
||||||
|
consumer_access returns the proper Access class based on group_name
|
||||||
|
for a channels consumer.
|
||||||
|
'''
|
||||||
|
class_map = {'job_events': JobAccess,
|
||||||
|
'workflow_events': WorkflowJobAccess,
|
||||||
|
'ad_hoc_command_events': AdHocCommandAccess}
|
||||||
|
return class_map.get(group_name)
|
||||||
|
|
||||||
|
|
||||||
class BaseAccess(object):
|
class BaseAccess(object):
|
||||||
'''
|
'''
|
||||||
Base class for checking user access to a given model. Subclasses should
|
Base class for checking user access to a given model. Subclasses should
|
||||||
|
|||||||
@@ -1,13 +1,11 @@
|
|||||||
import json
|
import json
|
||||||
import urlparse
|
|
||||||
import logging
|
import logging
|
||||||
|
|
||||||
from channels import Group
|
from channels import Group
|
||||||
from channels.sessions import channel_session
|
from channels.sessions import channel_session
|
||||||
|
from channels.auth import channel_session_user, http_session_user, transfer_user
|
||||||
|
|
||||||
from django.contrib.auth.models import User
|
|
||||||
from django.core.serializers.json import DjangoJSONEncoder
|
from django.core.serializers.json import DjangoJSONEncoder
|
||||||
from awx.main.models.organization import AuthToken
|
|
||||||
|
|
||||||
|
|
||||||
logger = logging.getLogger('awx.main.consumers')
|
logger = logging.getLogger('awx.main.consumers')
|
||||||
@@ -19,51 +17,32 @@ def discard_groups(message):
|
|||||||
Group(group).discard(message.reply_channel)
|
Group(group).discard(message.reply_channel)
|
||||||
|
|
||||||
|
|
||||||
def validate_token(token):
|
@http_session_user
|
||||||
try:
|
|
||||||
auth_token = AuthToken.objects.get(key=token)
|
|
||||||
if not auth_token.in_valid_tokens:
|
|
||||||
return None
|
|
||||||
except AuthToken.DoesNotExist:
|
|
||||||
return None
|
|
||||||
return auth_token
|
|
||||||
|
|
||||||
|
|
||||||
def user_from_token(auth_token):
|
|
||||||
try:
|
|
||||||
return User.objects.get(pk=auth_token.user_id)
|
|
||||||
except User.DoesNotExist:
|
|
||||||
return None
|
|
||||||
|
|
||||||
|
|
||||||
@channel_session
|
@channel_session
|
||||||
def ws_connect(message):
|
def ws_connect(message):
|
||||||
token = None
|
if message.http_session:
|
||||||
qs = urlparse.parse_qs(message['query_string'])
|
# our backend is not set on the http_session so we need to update the session before
|
||||||
if 'token' in qs:
|
# calling transfer_user. This is why we are doing this manually instead of using the
|
||||||
if len(qs['token']) > 0:
|
# all-in-one helper decorator.
|
||||||
token = qs['token'].pop()
|
message.http_session.update({'_auth_user_backend':'django.contrib.auth.backends.ModelBackend'})
|
||||||
message.channel_session['token'] = token
|
transfer_user(message.http_session, message.channel_session)
|
||||||
|
message.reply_channel.send({"text": json.dumps({"accept": True, "user": message.user.id})})
|
||||||
|
else:
|
||||||
|
message.reply_channel.send({"text": json.dumps({"accept": False, "user": None})})
|
||||||
|
|
||||||
|
|
||||||
@channel_session
|
@channel_session_user
|
||||||
def ws_disconnect(message):
|
def ws_disconnect(message):
|
||||||
discard_groups(message)
|
discard_groups(message)
|
||||||
|
|
||||||
|
|
||||||
@channel_session
|
@channel_session_user
|
||||||
def ws_receive(message):
|
def ws_receive(message):
|
||||||
token = message.channel_session.get('token')
|
from awx.main.access import consumer_access
|
||||||
|
|
||||||
auth_token = validate_token(token)
|
user = message.user
|
||||||
if auth_token is None:
|
if user.id is None:
|
||||||
logger.error("Authentication Failure validating user")
|
logger.error("No valid user found for websocket.")
|
||||||
message.reply_channel.send({"text": json.dumps({"error": "invalid auth token"})})
|
|
||||||
return None
|
|
||||||
|
|
||||||
user = user_from_token(auth_token)
|
|
||||||
if user is None:
|
|
||||||
logger.error("No valid user corresponding to submitted auth_token")
|
|
||||||
message.reply_channel.send({"text": json.dumps({"error": "no valid user"})})
|
message.reply_channel.send({"text": json.dumps({"error": "no valid user"})})
|
||||||
return None
|
return None
|
||||||
|
|
||||||
@@ -78,6 +57,12 @@ def ws_receive(message):
|
|||||||
if type(v) is list:
|
if type(v) is list:
|
||||||
for oid in v:
|
for oid in v:
|
||||||
name = '{}-{}'.format(group_name, oid)
|
name = '{}-{}'.format(group_name, oid)
|
||||||
|
access_cls = consumer_access(group_name)
|
||||||
|
if access_cls is not None:
|
||||||
|
user_access = access_cls(user)
|
||||||
|
if not user_access.get_queryset().filter(pk=oid).exists():
|
||||||
|
message.reply_channel.send({"text": json.dumps({"error": "access denied to channel {0} for resource id {1}".format(group_name, oid)})})
|
||||||
|
continue
|
||||||
current_groups.append(name)
|
current_groups.append(name)
|
||||||
Group(name).add(message.reply_channel)
|
Group(name).add(message.reply_channel)
|
||||||
else:
|
else:
|
||||||
|
|||||||
Reference in New Issue
Block a user