Author: chrisz
Date: Sat Jan 26 07:13:39 2008
New Revision: 4056
URL: http://trac.turbogears.org/changeset/4056
Log:
Fixed CP request header inspection in the identity inspection (merged r3498
from 1.0 to 1.1 branch).
Modified:
branches/1.1/turbogears/command/base.py
branches/1.1/turbogears/identity/conditions.py
Modified: branches/1.1/turbogears/command/base.py
==============================================================================
--- branches/1.1/turbogears/command/base.py (original)
+++ branches/1.1/turbogears/command/base.py Sat Jan 26 07:13:39 2008
@@ -13,7 +13,7 @@
import turbogears
from turbogears.util import get_model, load_project_config, \
get_project_config, get_package_name
-from turbogears.identity import SecureObject,from_any_host
+from turbogears.identity import SecureObject, from_any_host
from turbogears import config, database
from sacommand import sacommand
Modified: branches/1.1/turbogears/identity/conditions.py
==============================================================================
--- branches/1.1/turbogears/identity/conditions.py (original)
+++ branches/1.1/turbogears/identity/conditions.py Sat Jan 26 07:13:39 2008
@@ -52,16 +52,17 @@
A compound predicate that evaluates to true if any one of its
sub-predicates
evaluates to true.
'''
- error_message= "No predicates were able to grant access"
+ error_message = "No predicates were able to grant access"
- def eval_with_object( self, obj, errors=None ):
+ def eval_with_object(self, obj, errors=None):
'''
Return true if any sub-predicate evaluates to true.
'''
for p in self.predicates:
- if p.eval_with_object( obj, None ):
+ if p.eval_with_object(obj, None):
return True
- self.append_error_message( errors )
+
+ self.append_error_message(errors)
return False
@@ -70,22 +71,23 @@
A mix-in helper class for Identity Predicates.
'''
def __nonzero__(self):
- return self.eval_with_object( current )
+ return self.eval_with_object(current)
class in_group(Predicate, IdentityPredicateHelper):
'''
Predicate for requiring a group.
'''
- error_message= "Not member of group: %(group_name)s"
+ error_message = "Not member of group: %(group_name)s"
def __init__(self, group_name):
- self.group_name= group_name
+ self.group_name = group_name
- def eval_with_object( self, identity, errors=None ):
+ def eval_with_object(self, identity, errors=None):
if self.group_name in identity.groups:
return True
- self.append_error_message( errors )
+
+ self.append_error_message(errors)
return False
@@ -94,8 +96,8 @@
Predicate for requiring membership in a number of groups.
'''
def __init__(self, *groups):
- group_predicates= [in_group(g) for g in groups]
- super(in_all_groups,self).__init__( *group_predicates )
+ group_predicates = [in_group(g) for g in groups]
+ super(in_all_groups,self).__init__(*group_predicates)
class in_any_group(Any, IdentityPredicateHelper):
@@ -105,9 +107,9 @@
error_message= "Not member of any group: %(group_list)s"
def __init__(self, *groups):
- self.group_list= ", ".join(groups)
- group_predicates= [in_group(g) for g in groups]
- super(in_any_group,self).__init__( *group_predicates )
+ self.group_list = ", ".join(groups)
+ group_predicates = [in_group(g) for g in groups]
+ super(in_any_group,self).__init__(*group_predicates)
class not_anonymous(Predicate, IdentityPredicateHelper):
@@ -116,10 +118,11 @@
'''
error_message= "Anonymous access denied"
- def eval_with_object( self, identity, errors=None ):
+ def eval_with_object(self, identity, errors=None):
if current.anonymous:
- self.append_error_message( errors )
+ self.append_error_message(errors)
return False
+
return True
@@ -127,10 +130,10 @@
'''
Predicate for checking whether the visitor has a particular permission.
'''
- error_message= "Permission denied: %(permission_name)s"
+ error_message = "Permission denied: %(permission_name)s"
def __init__(self, permission_name):
- self.permission_name= permission_name
+ self.permission_name = permission_name
def eval_with_object(self, identity, errors=None):
'''
@@ -139,7 +142,7 @@
if self.permission_name in identity.permissions:
return True
- self.append_error_message( errors )
+ self.append_error_message(errors)
return False
@@ -148,27 +151,28 @@
Predicate for checking whether the visitor has all permissions.
'''
def __init__(self, *permissions):
- permission_predicates= [has_permission(p) for p in permissions]
- super(has_all_permissions,self).__init__( *permission_predicates )
+ permission_predicates = [has_permission(p) for p in permissions]
+ super(has_all_permissions,self).__init__(*permission_predicates)
class has_any_permission(Any, IdentityPredicateHelper):
'''
Predicate for checking whether the visitor has at least one permission.
'''
- error_message= "No matching permissions: %(permission_list)s"
+ error_message = "No matching permissions: %(permission_list)s"
def __init__(self, *permissions):
- self.permission_list= ", ".join( permissions )
- permission_predicates= [has_permission(p) for p in permissions]
- super(has_any_permission,self).__init__( *permission_predicates )
+ self.permission_list = ", ".join(permissions)
+ permission_predicates = [has_permission(p) for p in permissions]
+ super(has_any_permission,self).__init__(*permission_predicates)
def _remoteHost():
try:
- ips= cherrypy.request.headers.get( "X-Forwarded-For",
- cherrypy.request.remote_host )
+ ips = cherrypy.request.headers.get(
+ "X-Forwarded-For", cherrypy.request.headers.get('Remote-Addr'))
return ips.split(",")[-1].strip()
+
except:
return ""
@@ -176,6 +180,7 @@
def _match_ip(cidr, ip):
if not '/' in cidr:
return cidr == ip
+
else:
try:
b,m = cidr.split('/')
@@ -183,6 +188,7 @@
a1 = struct.unpack('!L', socket.inet_aton(b))[0] >> shift
a2 = struct.unpack('!L', socket.inet_aton(ip))[0] >> shift
return a1 == a2
+
except:
return False
@@ -193,19 +199,20 @@
Note: We never want to announce what the list of allowed hosts is, because
it is way too easy to spoof an IP address in a TCP/IP packet.
'''
- error_message= "Access from this host is not permitted."
+ error_message = "Access from this host is not permitted."
def __init__(self, host):
- self.host= host
+ self.host = host
- def eval_with_object( self, obj, errors=None ):
+ def eval_with_object(self, obj, errors=None):
'''
Match the visitor's host against the criteria.
'''
ip = _remoteHost()
- if _match_ip( self.host, ip ):
+ if _match_ip(self.host, ip):
return True
- self.append_error_message( errors )
+
+ self.append_error_message(errors)
return False
@@ -214,11 +221,11 @@
Predicate for checking whether the visitor's host is one of a number of
permitted hosts.
'''
- error_message= "Access from this host is not permitted."
+ error_message = "Access from this host is not permitted."
def __init__(self, hosts):
- host_predicates= [from_host(h) for h in hosts]
- super(from_any_host,self).__init__( *host_predicates )
+ host_predicates = [from_host(h) for h in hosts]
+ super(from_any_host, self).__init__(*host_predicates)
def require(predicate, obj=None):
@@ -229,113 +236,132 @@
def entangle(fn):
def require(func, self, *args, **kwargs):
try:
- errors= []
+ errors = []
if predicate is None or \
predicate.eval_with_object(current, errors):
return fn(self, *args, **kwargs)
+
except IdentityException, e:
- errors= [str(e)]
+ errors = [str(e)]
raise IdentityFailure(errors)
- fn._require= predicate
+ fn._require = predicate
return require
+
return weak_signature_decorator(entangle)
-def _secureResourceDecorator( fn ):
+def _secureResourceDecorator(fn):
'''
A decorator function used by the SecureResourceMeta metaclass.
'''
- def _wrapper( self, *args, **kwargs ):
- predicate= getattr( self.__class__, "require", None )
+ def _wrapper(self, *args, **kwargs):
+ predicate = getattr(self.__class__, "require", None)
try:
- errors= []
+ errors = []
if predicate is None or \
- predicate.eval_with_object( current, errors ):
- return fn( self, *args, **kwargs )
+ predicate.eval_with_object(current, errors):
+ return fn(self, *args, **kwargs)
+
except IdentityException, e:
- errors= [str(e)]
+ errors = [str(e)]
- raise IdentityFailure( errors )
+ raise IdentityFailure(errors)
try:
- _wrapper.func_name= fn.func_name
+ _wrapper.func_name = fn.func_name
+
except TypeError:
pass
- if hasattr( fn, "exposed" ):
- _wrapper.exposed= fn.exposed
+
+ if hasattr(fn, "exposed"):
+ _wrapper.exposed = fn.exposed
+
return _wrapper
-def _check_method( obj, fn, predicate ):
- def _wrapper( *args, **kw ):
+def _check_method(obj, fn, predicate):
+ def _wrapper(*args, **kw):
errors= []
- if predicate.eval_with_object( current, errors ):
- return fn( *args, **kw )
+ if predicate.eval_with_object(current, errors):
+ return fn(*args, **kw)
+
else:
- raise IdentityFailure( errors )
- _wrapper.exposed= True
+ raise IdentityFailure(errors)
+
+ _wrapper.exposed = True
return _wrapper
class SecureResource(object):
- def __getattribute__( self, name ):
+ def __getattribute__(self, name):
from turbogears import controllers
- if name[:3]=="_cp" or name in ["require"]:
+ if name[:3] == "_cp" or name in ["require"]:
return object.__getattribute__(self,name)
+
try:
- value= object.__getattribute__(self,name)
+ value = object.__getattribute__(self,name)
try:
- predicate= object.__getattribute__(self,"require")
+ predicate = object.__getattribute__(self,"require")
+
except AttributeError:
- predicate= turbogears.config.get( "identity.require", None )
+ predicate = turbogears.config.get("identity.require", None)
if predicate is None:
raise AttributeError("SecureResource requires a require "
"attribute either on the controller class
"
"itself or in the config file")
- errors= []
- if (isinstance( value, types.MethodType ) and
- hasattr( value, "exposed" )):
- return _check_method( self, value, predicate )
- if isinstance( value, controllers.Controller ):
- return SecureObject( value, predicate )
+ errors = []
+ if (isinstance(value, types.MethodType) and
+ hasattr(value, "exposed")):
+ return _check_method(self, value, predicate)
+
+ if isinstance(value, controllers.Controller):
+ return SecureObject(value, predicate)
+
# Some other property
return value
+
except IdentityException, e:
errors= [str(e)]
- raise IdentityFailure( errors )
+ raise IdentityFailure(errors)
class SecureObject(object):
- def __init__( self, obj, require, exclude=[]):
+ def __init__(self, obj, require, exclude=[]):
self._exclude = exclude
- self._object= obj
- self._require= require
+ self._object = obj
+ self._require = require
- def __getattribute__( self, name ):
+ def __getattribute__(self, name):
from turbogears import controllers
- if name[:3]=="_cp" or name in ["_object","_require","_exclude"]:
+ if name[:3] == "_cp" or name in ["_object", "_require", "_exclude"]:
return object.__getattribute__(self,name)
+
try:
- obj= object.__getattribute__( self, "_object" )
- value= getattr( obj, name )
+ obj = object.__getattribute__(self, "_object")
+ value = getattr(obj, name)
- errors= []
- predicate= object.__getattribute__(self,"_require")
+ errors = []
+ predicate = object.__getattribute__(self, "_require")
if name in object.__getattribute__(self, "_exclude"):
return value
- if (isinstance( value, types.MethodType ) and
- hasattr( value, "exposed" )):
- return _check_method( obj, value, predicate )
- if isinstance( value, controllers.Controller ):
- return SecureObject( value, predicate )
+
+ if (isinstance(value, types.MethodType) and
+ hasattr(value, "exposed")):
+ return _check_method(obj, value, predicate)
+
+ if isinstance(value, controllers.Controller):
+ return SecureObject(value, predicate)
+
# Some other property
return value
+
except IdentityException, e:
- errors= [str(e)]
+ errors = [str(e)]
+
+ raise IdentityFailure(errors)
- raise IdentityFailure( errors )
