aiohttp-security/aiohttp_security/api.py

183 lines
6.7 KiB
Python
Raw Normal View History

import enum
2018-09-06 10:06:55 +00:00
import warnings
from functools import wraps
2020-12-18 17:58:38 +00:00
from typing import Any, Callable, Optional, TypeVar, Union
from aiohttp import web
from aiohttp_security.abc import AbstractAuthorizationPolicy, AbstractIdentityPolicy
2015-07-08 17:30:24 +00:00
IDENTITY_KEY = 'aiohttp_security_identity_policy'
AUTZ_KEY = 'aiohttp_security_autz_policy'
2020-12-18 17:58:38 +00:00
# _AIP/_AAP are shorthand for Optional[policy] when we retrieve from request.
_AAP = Optional[AbstractAuthorizationPolicy]
_AIP = Optional[AbstractIdentityPolicy]
_Handler = TypeVar('_Handler', bound=Union[Callable[[web.Request], Any],
Callable[[object, web.Request], Any]])
2015-07-08 17:30:24 +00:00
2020-12-18 17:58:38 +00:00
async def remember(request: web.Request, response: web.StreamResponse,
identity: str, **kwargs: Any) -> None:
2015-10-29 08:31:24 +00:00
"""Remember identity into response.
2015-10-29 13:34:38 +00:00
The action is performed by identity_policy.remember()
2018-02-01 08:50:58 +00:00
Usually the identity is stored in user cookies somehow but may be
2015-10-29 13:34:38 +00:00
pushed into custom header also.
2015-10-29 08:31:24 +00:00
"""
assert isinstance(identity, str), identity
2015-11-20 11:39:10 +00:00
assert identity
identity_policy = request.config_dict.get(IDENTITY_KEY)
if identity_policy is None:
text = ("Security subsystem is not initialized, "
"call aiohttp_security.setup(...) first")
# in order to see meaningful exception message both: on console
# output and rendered page we add same message to *reason* and
# *text* arguments.
raise web.HTTPInternalServerError(reason=text, text=text)
2017-12-13 14:51:46 +00:00
await identity_policy.remember(request, response, identity, **kwargs)
2015-07-08 17:30:24 +00:00
2020-12-18 17:58:38 +00:00
async def forget(request: web.Request, response: web.StreamResponse) -> None:
"""Forget previously remembered identity.
2015-11-02 20:28:10 +00:00
2015-10-29 13:34:38 +00:00
Usually it clears cookie or server-side storage to forget user
session.
"""
identity_policy = request.config_dict.get(IDENTITY_KEY)
if identity_policy is None:
text = ("Security subsystem is not initialized, "
"call aiohttp_security.setup(...) first")
# in order to see meaningful exception message both: on console
# output and rendered page we add same message to *reason* and
# *text* arguments.
raise web.HTTPInternalServerError(reason=text, text=text)
2017-12-13 14:51:46 +00:00
await identity_policy.forget(request, response)
2015-07-08 17:30:24 +00:00
2020-12-18 17:58:38 +00:00
async def authorized_userid(request: web.Request) -> Optional[str]:
identity_policy: _AIP = request.config_dict.get(IDENTITY_KEY)
autz_policy: _AAP = request.config_dict.get(AUTZ_KEY)
if identity_policy is None or autz_policy is None:
return None
2017-12-13 14:51:46 +00:00
identity = await identity_policy.identify(request)
2015-11-20 11:39:10 +00:00
if identity is None:
return None # non-registered user has None user_id
2017-12-13 14:51:46 +00:00
user_id = await autz_policy.authorized_userid(identity)
2015-07-08 17:30:24 +00:00
return user_id
2020-12-18 17:58:38 +00:00
async def permits(request: web.Request, permission: Union[str, enum.Enum],
context: Any = None) -> bool:
assert isinstance(permission, (str, enum.Enum)), permission
2015-11-20 11:39:10 +00:00
assert permission
2020-12-18 17:58:38 +00:00
identity_policy: _AIP = request.config_dict.get(IDENTITY_KEY)
autz_policy: _AAP = request.config_dict.get(AUTZ_KEY)
if identity_policy is None or autz_policy is None:
return True
2017-12-13 14:51:46 +00:00
identity = await identity_policy.identify(request)
2020-12-18 17:58:38 +00:00
# non-registered user still may have some permissions
2017-12-13 14:51:46 +00:00
access = await autz_policy.permits(identity, permission, context)
2015-07-08 17:30:24 +00:00
return access
2020-12-18 17:58:38 +00:00
async def is_anonymous(request: web.Request) -> bool:
"""Check if user is anonymous.
User is considered anonymous if there is not identity
in request.
"""
identity_policy = request.config_dict.get(IDENTITY_KEY)
if identity_policy is None:
return True
2017-12-13 14:51:46 +00:00
identity = await identity_policy.identify(request)
if identity is None:
return True
return False
2020-12-18 17:58:38 +00:00
async def check_authorized(request: web.Request) -> str:
2018-09-06 10:06:55 +00:00
"""Checker that raises HTTPUnauthorized for anonymous users.
"""
userid = await authorized_userid(request)
if userid is None:
raise web.HTTPUnauthorized()
return userid
2020-12-18 17:58:38 +00:00
def login_required(fn: _Handler) -> _Handler:
"""Decorator that restrict access only for authorized users.
User is considered authorized if authorized_userid
returns some value.
"""
@wraps(fn)
2020-12-18 17:58:38 +00:00
async def wrapped(*args: Union[object, web.Request]) -> Any:
request = args[-1]
2020-12-18 17:58:38 +00:00
if not isinstance(request, web.Request):
msg = ("Incorrect decorator usage. "
"Expecting `def handler(request)` "
"or `def handler(self, request)`.")
raise RuntimeError(msg)
2018-09-06 10:06:55 +00:00
await check_authorized(request)
2020-12-18 17:58:38 +00:00
return await fn(*args) # type: ignore[arg-type]
2018-09-06 10:06:55 +00:00
warnings.warn("login_required decorator is deprecated, "
"use check_authorized instead",
DeprecationWarning)
2020-12-18 17:58:38 +00:00
return wrapped # type: ignore[return-value]
2020-12-18 17:58:38 +00:00
async def check_permission(request: web.Request, permission: Union[str, enum.Enum],
context: Any = None) -> None:
2018-09-06 10:06:55 +00:00
"""Checker that passes only to authoraised users with given permission.
If user is not authorized - raises HTTPUnauthorized,
if user is authorized and does not have permission -
raises HTTPForbidden.
"""
await check_authorized(request)
allowed = await permits(request, permission, context)
if not allowed:
raise web.HTTPForbidden()
2020-12-18 17:58:38 +00:00
def has_permission(permission: Union[str, enum.Enum], context: Any = None): # type: ignore
2018-09-06 10:06:55 +00:00
"""Decorator that restricts access only for authorized users
with correct permissions.
If user is not authorized - raises HTTPUnauthorized,
if user is authorized and does not have permission -
raises HTTPForbidden.
"""
2020-12-18 17:58:38 +00:00
def wrapper(fn): # type: ignore
@wraps(fn)
2020-12-18 17:58:38 +00:00
async def wrapped(*args, **kwargs): # type: ignore
request = args[-1]
2020-12-18 17:58:38 +00:00
if not isinstance(request, web.Request):
msg = ("Incorrect decorator usage. "
"Expecting `def handler(request)` "
"or `def handler(self, request)`.")
raise RuntimeError(msg)
2018-09-06 10:06:55 +00:00
await check_permission(request, permission, context)
return await fn(*args, **kwargs)
return wrapped
2018-09-06 10:06:55 +00:00
warnings.warn("has_permission decorator is deprecated, "
"use check_permission instead",
DeprecationWarning)
return wrapper
2020-12-18 17:58:38 +00:00
def setup(app: web.Application, identity_policy: AbstractIdentityPolicy,
autz_policy: AbstractAuthorizationPolicy) -> None:
2015-07-08 17:30:24 +00:00
assert isinstance(identity_policy, AbstractIdentityPolicy), identity_policy
2015-09-06 05:12:18 +00:00
assert isinstance(autz_policy, AbstractAuthorizationPolicy), autz_policy
2015-07-08 17:30:24 +00:00
app[IDENTITY_KEY] = identity_policy
2015-09-06 05:12:18 +00:00
app[AUTZ_KEY] = autz_policy