2017-11-17 15:51:40 +00:00
|
|
|
import enum
|
2015-08-05 10:32:49 +00:00
|
|
|
from aiohttp import web
|
2015-07-08 17:30:24 +00:00
|
|
|
from aiohttp_security.abc import (AbstractIdentityPolicy,
|
|
|
|
AbstractAuthorizationPolicy)
|
2017-11-17 15:51:40 +00:00
|
|
|
from functools import wraps
|
2015-07-08 17:30:24 +00:00
|
|
|
|
|
|
|
IDENTITY_KEY = 'aiohttp_security_identity_policy'
|
|
|
|
AUTZ_KEY = 'aiohttp_security_autz_policy'
|
|
|
|
|
|
|
|
|
2017-12-13 14:51:46 +00:00
|
|
|
async def remember(request, response, identity, **kwargs):
|
2015-10-29 08:31:24 +00:00
|
|
|
"""Remember identity into response.
|
|
|
|
|
2015-10-29 13:34:38 +00:00
|
|
|
The action is performed by identity_policy.remember()
|
|
|
|
|
2018-02-01 08:50:58 +00:00
|
|
|
Usually the identity is stored in user cookies somehow but may be
|
2015-10-29 13:34:38 +00:00
|
|
|
pushed into custom header also.
|
2015-10-29 08:31:24 +00:00
|
|
|
"""
|
|
|
|
assert isinstance(identity, str), identity
|
2015-11-20 11:39:10 +00:00
|
|
|
assert identity
|
2015-08-05 10:32:49 +00:00
|
|
|
identity_policy = request.app.get(IDENTITY_KEY)
|
|
|
|
if identity_policy is None:
|
|
|
|
text = ("Security subsystem is not initialized, "
|
|
|
|
"call aiohttp_security.setup(...) first")
|
|
|
|
# in order to see meaningful exception message both: on console
|
|
|
|
# output and rendered page we add same message to *reason* and
|
|
|
|
# *text* arguments.
|
|
|
|
raise web.HTTPInternalServerError(reason=text, text=text)
|
2017-12-13 14:51:46 +00:00
|
|
|
await identity_policy.remember(request, response, identity, **kwargs)
|
2015-07-08 17:30:24 +00:00
|
|
|
|
|
|
|
|
2017-12-13 14:51:46 +00:00
|
|
|
async def forget(request, response):
|
2015-11-02 20:29:11 +00:00
|
|
|
"""Forget previously remembered identity.
|
2015-11-02 20:28:10 +00:00
|
|
|
|
2015-10-29 13:34:38 +00:00
|
|
|
Usually it clears cookie or server-side storage to forget user
|
|
|
|
session.
|
|
|
|
"""
|
2015-08-05 10:32:49 +00:00
|
|
|
identity_policy = request.app.get(IDENTITY_KEY)
|
|
|
|
if identity_policy is None:
|
|
|
|
text = ("Security subsystem is not initialized, "
|
|
|
|
"call aiohttp_security.setup(...) first")
|
|
|
|
# in order to see meaningful exception message both: on console
|
|
|
|
# output and rendered page we add same message to *reason* and
|
|
|
|
# *text* arguments.
|
|
|
|
raise web.HTTPInternalServerError(reason=text, text=text)
|
2017-12-13 14:51:46 +00:00
|
|
|
await identity_policy.forget(request, response)
|
2015-07-08 17:30:24 +00:00
|
|
|
|
|
|
|
|
2017-12-13 14:51:46 +00:00
|
|
|
async def authorized_userid(request):
|
2015-08-04 18:19:01 +00:00
|
|
|
identity_policy = request.app.get(IDENTITY_KEY)
|
|
|
|
autz_policy = request.app.get(AUTZ_KEY)
|
|
|
|
if identity_policy is None or autz_policy is None:
|
|
|
|
return None
|
2017-12-13 14:51:46 +00:00
|
|
|
identity = await identity_policy.identify(request)
|
2015-11-20 11:39:10 +00:00
|
|
|
if identity is None:
|
|
|
|
return None # non-registered user has None user_id
|
2017-12-13 14:51:46 +00:00
|
|
|
user_id = await autz_policy.authorized_userid(identity)
|
2015-07-08 17:30:24 +00:00
|
|
|
return user_id
|
|
|
|
|
|
|
|
|
2017-12-13 14:51:46 +00:00
|
|
|
async def permits(request, permission, context=None):
|
2017-11-17 15:51:40 +00:00
|
|
|
assert isinstance(permission, (str, enum.Enum)), permission
|
2015-11-20 11:39:10 +00:00
|
|
|
assert permission
|
2015-08-04 18:19:01 +00:00
|
|
|
identity_policy = request.app.get(IDENTITY_KEY)
|
|
|
|
autz_policy = request.app.get(AUTZ_KEY)
|
|
|
|
if identity_policy is None or autz_policy is None:
|
|
|
|
return True
|
2017-12-13 14:51:46 +00:00
|
|
|
identity = await identity_policy.identify(request)
|
2015-11-20 11:39:10 +00:00
|
|
|
# non-registered user still may has some permissions
|
2017-12-13 14:51:46 +00:00
|
|
|
access = await autz_policy.permits(identity, permission, context)
|
2015-07-08 17:30:24 +00:00
|
|
|
return access
|
|
|
|
|
|
|
|
|
2017-12-13 14:51:46 +00:00
|
|
|
async def is_anonymous(request):
|
2017-11-17 15:51:40 +00:00
|
|
|
"""Check if user is anonymous.
|
|
|
|
|
|
|
|
User is considered anonymous if there is not identity
|
|
|
|
in request.
|
|
|
|
"""
|
|
|
|
identity_policy = request.app.get(IDENTITY_KEY)
|
|
|
|
if identity_policy is None:
|
|
|
|
return True
|
2017-12-13 14:51:46 +00:00
|
|
|
identity = await identity_policy.identify(request)
|
2017-11-17 15:51:40 +00:00
|
|
|
if identity is None:
|
|
|
|
return True
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
|
|
def login_required(fn):
|
|
|
|
"""Decorator that restrict access only for authorized users.
|
|
|
|
|
|
|
|
User is considered authorized if authorized_userid
|
|
|
|
returns some value.
|
|
|
|
"""
|
|
|
|
@wraps(fn)
|
2017-12-13 14:51:46 +00:00
|
|
|
async def wrapped(*args, **kwargs):
|
2018-09-06 01:43:12 +00:00
|
|
|
request = kwargs.get('request', args[-1] if args else None)
|
2017-11-17 15:51:40 +00:00
|
|
|
if not isinstance(request, web.BaseRequest):
|
|
|
|
msg = ("Incorrect decorator usage. "
|
|
|
|
"Expecting `def handler(request)` "
|
|
|
|
"or `def handler(self, request)`.")
|
|
|
|
raise RuntimeError(msg)
|
|
|
|
|
2017-12-13 14:51:46 +00:00
|
|
|
userid = await authorized_userid(request)
|
2017-11-17 15:51:40 +00:00
|
|
|
if userid is None:
|
|
|
|
raise web.HTTPUnauthorized
|
|
|
|
|
2017-12-13 14:51:46 +00:00
|
|
|
ret = await fn(*args, **kwargs)
|
2017-11-17 15:51:40 +00:00
|
|
|
return ret
|
|
|
|
|
|
|
|
return wrapped
|
|
|
|
|
|
|
|
|
|
|
|
def has_permission(
|
|
|
|
permission,
|
|
|
|
context=None,
|
|
|
|
):
|
|
|
|
"""Decorator that restrict access only for authorized users
|
|
|
|
with correct permissions.
|
|
|
|
|
|
|
|
If user is not authorized - raises HTTPUnauthorized,
|
|
|
|
if user is authorized and does not have permission -
|
|
|
|
raises HTTPForbidden.
|
|
|
|
"""
|
|
|
|
def wrapper(fn):
|
|
|
|
@wraps(fn)
|
2017-12-13 14:51:46 +00:00
|
|
|
async def wrapped(*args, **kwargs):
|
2018-09-06 01:43:12 +00:00
|
|
|
request = kwargs.get('request', args[-1] if args else None)
|
2017-11-17 15:51:40 +00:00
|
|
|
if not isinstance(request, web.BaseRequest):
|
|
|
|
msg = ("Incorrect decorator usage. "
|
|
|
|
"Expecting `def handler(request)` "
|
|
|
|
"or `def handler(self, request)`.")
|
|
|
|
raise RuntimeError(msg)
|
|
|
|
|
2017-12-13 14:51:46 +00:00
|
|
|
userid = await authorized_userid(request)
|
2017-11-17 15:51:40 +00:00
|
|
|
if userid is None:
|
|
|
|
raise web.HTTPUnauthorized
|
|
|
|
|
2017-12-13 14:51:46 +00:00
|
|
|
allowed = await permits(request, permission, context)
|
2017-11-17 15:51:40 +00:00
|
|
|
if not allowed:
|
|
|
|
raise web.HTTPForbidden
|
2017-12-13 14:51:46 +00:00
|
|
|
ret = await fn(*args, **kwargs)
|
2017-11-17 15:51:40 +00:00
|
|
|
return ret
|
|
|
|
|
|
|
|
return wrapped
|
|
|
|
|
|
|
|
return wrapper
|
|
|
|
|
|
|
|
|
2015-09-06 05:12:18 +00:00
|
|
|
def setup(app, identity_policy, autz_policy):
|
2015-07-08 17:30:24 +00:00
|
|
|
assert isinstance(identity_policy, AbstractIdentityPolicy), identity_policy
|
2015-09-06 05:12:18 +00:00
|
|
|
assert isinstance(autz_policy, AbstractAuthorizationPolicy), autz_policy
|
2015-07-08 17:30:24 +00:00
|
|
|
|
|
|
|
app[IDENTITY_KEY] = identity_policy
|
2015-09-06 05:12:18 +00:00
|
|
|
app[AUTZ_KEY] = autz_policy
|