new authorization mecanism with decorators

tracim/__init__.py

 
 from pyramid.config import Configurator
 from pyramid.authentication import BasicAuthAuthenticationPolicy
-from pyramid.authorization import ACLAuthorizationPolicy
 from hapic.ext.pyramid import PyramidContext
 
 from tracim.extensions import hapic
 from tracim.config import CFG
-from tracim.lib.utils.auth import check_credentials
-from tracim.lib.utils.auth import Root
+from tracim.lib.utils.auth import basic_auth_check_credentials
+from tracim.lib.utils.request import TracimRequest
+from tracim.lib.utils.auth import AcceptAllAuthorizationPolicy
 from tracim.lib.utils.auth import BASIC_AUTH_WEBUI_REALM
+from tracim.lib.utils.auth import TRACIM_DEFAULT_PERM
 from tracim.views.example_api.example_api_controller import ExampleApiController
 from tracim.views.default.default_controller import DefaultController
 
     app_config.configure_filedepot()
     settings['CFG'] = app_config
     configurator = Configurator(settings=settings, autocommit=True)
-    # Add BasicAuthPolicy + ACL AuthorizationPolicy
+    # Add BasicAuthPolicy
     authn_policy = BasicAuthAuthenticationPolicy(
-        check_credentials,
+        basic_auth_check_credentials,
         realm=BASIC_AUTH_WEBUI_REALM,
     )
-    configurator.set_authorization_policy(ACLAuthorizationPolicy())
+    # Default authorization : Accept anything.
+    configurator.set_authorization_policy(AcceptAllAuthorizationPolicy())
     configurator.set_authentication_policy(authn_policy)
-    configurator.set_root_factory(lambda request: Root())
+    # INFO - GM - 11-04-2018 - set default perm
+    # setting default perm is needed to force authentification
+    # mecanism in all views.
+    configurator.set_default_permission(TRACIM_DEFAULT_PERM)
+    # Override default request
+    configurator.set_request_factory(TracimRequest)
     # Pyramids "plugin" include.
     configurator.include('pyramid_jinja2')
     # Add SqlAlchemy DB

tracim/exceptions.py

 
 class SameValueError(ValueError):
     pass
+
+
+class NotAuthentificated(TracimException):
+    pass
+
+
+class WorkspaceNotFound(NotFound):
+    pass
+
+
+class InsufficientUserWorkspaceRole(TracimException):
+    pass

tracim/lib/utils/auth.py

 # -*- coding: utf-8 -*-
 import typing
+
+from pyramid.interfaces import IAuthorizationPolicy
+from zope.interface import implementer
+
 try:
     from json.decoder import JSONDecodeError
 except ImportError:  # python3.4
 from sqlalchemy.orm.exc import NoResultFound
 
 from pyramid.request import Request
-from pyramid.security import ALL_PERMISSIONS
-from pyramid.security import Allow
-from pyramid.security import unauthenticated_userid
 
-from tracim.models.auth import Group
 from tracim.models.auth import User
 from tracim.models.data import Workspace
-from tracim.models.data import UserRoleInWorkspace
 from tracim.lib.core.user import UserApi
 from tracim.lib.core.workspace import WorkspaceApi
-from tracim.lib.core.userworkspace import RoleApi
 
-# INFO - G.M - 06-04-2018 - Auth for pyramid
-# based on this tutorial : https://docs.pylonsproject.org/projects/pyramid-cookbook/en/latest/auth/basic.html  # nopep8
+from tracim.exceptions import NotAuthentificated
+from tracim.exceptions import WorkspaceNotFound
+from tracim.exceptions import InsufficientUserWorkspaceRole
 BASIC_AUTH_WEBUI_REALM = "tracim"
+TRACIM_DEFAULT_PERM = 'tracim'
 
 
-def get_user(request: Request) -> typing.Optional[User]:
+def get_safe_user(
+        request: Request,
+) -> User:
     """
-    Get current pyramid user from request
+    Get current pyramid authenticated user from request
     :param request: pyramid request
-    :return:
+    :return: current authenticated user
     """
     app_config = request.registry.settings['CFG']
     uapi = UserApi(None, session=request.dbsession, config=app_config)
     user = None
     try:
-        login = unauthenticated_userid(request)
+        login = request.authenticated_userid
+        if not login:
+            raise NotAuthentificated('not authenticated user_id,'
+                                     'Failed Authentification ?')
         user = uapi.get_one_by_email(login)
     except NoResultFound:
-        pass
+        raise NotAuthentificated('User not found')
     return user
 
 
-def get_workspace(request: Request) -> typing.Optional[Workspace]:
+def get_workspace(user: User, request: Request) -> typing.Optional[Workspace]:
     """
     Get current workspace from request
+    :param user: User who want to check the workspace
     :param request: pyramid request
     :return:
     """
-    workspace = None
+    workspace_id = ''
     try:
         if 'workspace_id' not in request.json_body:
             return None
         workspace_id = request.json_body['workspace_id']
-        wapi = WorkspaceApi(current_user=None, session=request.dbsession)
+        wapi = WorkspaceApi(current_user=user, session=request.dbsession)
         workspace = wapi.get_one(workspace_id)
     except JSONDecodeError:
-        pass
+        raise WorkspaceNotFound('Bad json body')
     except NoResultFound:
-        pass
+        raise WorkspaceNotFound(
+            'Workspace {} does not exist '
+            'or is not visible for this user'.format(workspace_id)
+        )
     return workspace
 
+###
+# BASIC AUTH
+###
+
 
-def check_credentials(
+def basic_auth_check_credentials(
         login: str,
         cleartext_password: str,
-        request: Request
+        request: 'TracimRequest'
 ) -> typing.Optional[list]:
     """
-    Check credential for pyramid basic_auth, checks also for
-    global and Workspace related permissions.
+    Check credential for pyramid basic_auth
     :param login: login of user
     :param cleartext_password: user password in cleartext
     :param request: Pyramid request
     :return: None if auth failed, list of permissions if auth succeed
     """
-    user = get_user(request)
 
     # Do not accept invalid user
+    user = _get_basic_auth_unsafe_user(request)
     if not user \
             or user.email != login \
             or not user.validate_password(cleartext_password):
         return None
-    permissions = []
-
-    # Global groups
-    for group in user.groups:
-        permissions.append(group.group_id)
-
-    # Current workspace related group
-    workspace = get_workspace(request)
-    if workspace:
-        roleapi = RoleApi(current_user=user, session=request.dbsession)
-        role = roleapi.get_one(
-            user_id=user.user_id,
-            workspace_id=workspace.workspace_id,
-        )
-        permissions.append(role)
+    return []
 
-    return permissions
 
+def _get_basic_auth_unsafe_user(
+    request: Request,
+) -> typing.Optional[User]:
+    """
+    :param request: pyramid request
+    :return: User or None
+    """
+    app_config = request.registry.settings['CFG']
+    uapi = UserApi(None, session=request.dbsession, config=app_config)
+    try:
+        login = request.unauthenticated_userid
+        if not login:
+            return None
+        user = uapi.get_one_by_email(login)
+    except NoResultFound:
+        return None
+    return user
+
+####
 
-# Global Permissions
-ADMIN_PERM = 'admin'
-MANAGE_GLOBAL_PERM = 'manage_global'
-USER_PERM = 'user'
-# Workspace-specific permission
-READ_PERM = 'read'
-CONTRIBUTE_PERM = 'contribute'
-MANAGE_CONTENT_PERM = 'manage_content'
-MANAGE_WORKSPACE_PERM = 'manage_workspace'
 
+def require_workspace_role(minimal_required_role):
+    def decorator(func):
 
-class Root(object):
+        def wrapper(self, request: 'TracimRequest'):
+            user = request.current_user
+            workspace = request.current_workspace
+            if workspace.get_user_role(user) >= minimal_required_role:
+                return func(self, request)
+            raise InsufficientUserWorkspaceRole()
+
+        return wrapper
+    return decorator
+
+###
+
+
+@implementer(IAuthorizationPolicy)
+class AcceptAllAuthorizationPolicy(object):
     """
-    Root of all Pyramid requests, used to store global acl
+    Simple AuthorizationPolicy to avoid trouble with pyramid.
+    Acceot any request.
     """
-    __acl__ = ()
+    def permits(self, context, principals, permision):
+        return True
+
+    def principals_allowed_by_permission(self, context, permission):
+        raise NotImplementedError()

tracim/lib/utils/request.py

+from contextlib import contextmanager
+
+from pyramid.decorator import reify
+from pyramid.request import Request
+
+from tracim.models import User
+from tracim.models.data import Workspace
+from tracim.lib.utils.auth import get_safe_user
+from tracim.lib.utils.auth import get_workspace
+
+
+class TracimRequest(Request):
+    def __init__(
+            self,
+            environ,
+            charset=None,
+            unicode_errors=None,
+            decode_param_names=None,
+            **kw
+    ):
+        super().__init__(
+            environ,
+            charset,
+            unicode_errors,
+            decode_param_names,
+            **kw
+        )
+        self._current_workspace = None  # type: Workspace
+        self._current_user = None  # type: User
+
+    @property
+    def current_workspace(self) -> Workspace:
+        if self._current_workspace is None:
+            self.current_workspace = get_workspace(self.current_user, self)
+        return self._current_workspace
+
+    @current_workspace.setter
+    def current_workspace(self, workspace: Workspace) -> None:
+        assert self._current_workspace is None
+        self._current_workspace = workspace
+
+    @property
+    def current_user(self) -> User:
+        if self._current_user is None:
+            self.current_user = get_safe_user(self)
+        return self._current_user
+
+    @current_user.setter
+    def current_user(self, user: User) -> None:
+        assert self._current_user is None
+        self._current_user = user

tracim/views/default/default_controller.py

 # coding=utf-8
+from pyramid.request import Request
+
+from tracim.models.data import UserRoleInWorkspace
 from tracim.views.controllers import Controller
 from pyramid.config import Configurator
 from pyramid.response import Response
 from pyramid.exceptions import NotFound
 from pyramid.httpexceptions import HTTPUnauthorized
 from pyramid.httpexceptions import HTTPForbidden
-from pyramid.security import forget
+from pyramid.security import forget, authenticated_userid
 
-from tracim.lib.utils.auth import MANAGE_CONTENT_PERM
-from tracim.lib.utils.auth import MANAGE_WORKSPACE_PERM
-from tracim.lib.utils.auth import MANAGE_GLOBAL_PERM
-from tracim.lib.utils.auth import READ_PERM
-from tracim.lib.utils.auth import CONTRIBUTE_PERM
-from tracim.lib.utils.auth import ADMIN_PERM
-from tracim.lib.utils.auth import USER_PERM
+from tracim.lib.utils.auth import require_workspace_role
 
 
 class DefaultController(Controller):
 
-    @classmethod
-    def notfound_view(cls, request):
+    def notfound_view(self, request):
         request.response.status = 404
         return {}
 
-    @classmethod
-    def forbidden_view(cls, request):
+    def forbidden_view(self, request):
         if request.authenticated_userid is None:
             response = HTTPUnauthorized()
             response.headers.update(forget(request))
         return response
 
     # TODO - G.M - 10-04-2018 - [cleanup][tempExample] - Drop this method
-    @classmethod
-    def test_config(cls, request):
+    @require_workspace_role(UserRoleInWorkspace.READER)
+    def test_config(self, request: Request):
         try:
             app_config = request.registry.settings['CFG']
             project = app_config.WEBSITE_TITLE
         return {'project': project}
 
     # TODO - G.M - 10-04-2018 - [cleanup][tempExample] - Drop this method
-    @classmethod
-    def test_contributor_page(cls, request):
+    @require_workspace_role(UserRoleInWorkspace.CONTRIBUTOR)
+    def test_contributor_page(self, request):
         try:
             app_config = request.registry.settings['CFG']
             project = 'contributor'
         return {'project': project}
 
     # TODO - G.M - 10-04-2018 - [cleanup][tempExample] - Drop this method
-    @classmethod
-    def test_admin_page(cls, request):
+    def test_admin_page(self, request):
         try:
             app_config = request.registry.settings['CFG']
             project = 'admin'
         return {'project': project}
 
     # TODO - G.M - 10-04-2018 - [cleanup][tempExample] - Drop this method
-    @classmethod
-    def test_manager_page(cls, request):
+    def test_manager_page(self, request):
         try:
             app_config = request.registry.settings['CFG']
             project = 'manager'
         return {'project': project}
 
     # TODO - G.M - 10-04-2018 - [cleanup][tempExample] - Drop this method
-    @classmethod
-    def test_user_page(cls, request):
+    def test_user_page(self, request):
         try:
             app_config = request.registry.settings['CFG']
             project = 'user'
             self.test_contributor_page,
             route_name='test_contributor',
             renderer='tracim:templates/mytemplate.jinja2',
-            permission=CONTRIBUTE_PERM,
         )
 
         # TODO - G.M - 10-04-2018 - [cleanup][tempExample] - Drop this method
             self.test_admin_page,
             route_name='test_admin',
             renderer='tracim:templates/mytemplate.jinja2',
-            permission=ADMIN_PERM,
         )
 
         # TODO - G.M - 10-04-2018 - [cleanup][tempExample] - Drop this method
             self.test_user_page,
             route_name='test_manager',
             renderer='tracim:templates/mytemplate.jinja2',
-            permission=MANAGE_GLOBAL_PERM,
         )
 
         # TODO - G.M - 10-04-2018 - [cleanup][tempExample] - Drop this method
             self.test_user_page,
             route_name='test_user',
             renderer='tracim:templates/mytemplate.jinja2',
-            permission=USER_PERM,
         )
 
         configurator.add_forbidden_view(self.forbidden_view)