reorganising, exceptions and comments on new auth mecanism

tracim/__init__.py

@@ -8,11 +8,11 @@ from hapic.ext.pyramid import PyramidContext
 
 from tracim.extensions import hapic
 from tracim.config import CFG
-from tracim.lib.utils.auth import basic_auth_check_credentials
 from tracim.lib.utils.request import TracimRequest
-from tracim.lib.utils.auth import AcceptAllAuthorizationPolicy
-from tracim.lib.utils.auth import BASIC_AUTH_WEBUI_REALM
-from tracim.lib.utils.auth import TRACIM_DEFAULT_PERM
+from tracim.lib.utils.authentification import basic_auth_check_credentials
+from tracim.lib.utils.authentification import BASIC_AUTH_WEBUI_REALM
+from tracim.lib.utils.authorization import AcceptAllAuthorizationPolicy
+from tracim.lib.utils.authorization import TRACIM_DEFAULT_PERM
 from tracim.views.example_api.example_api_controller import ExampleApiController
 from tracim.views.default.default_controller import DefaultController
 

tracim/exceptions.py

@@ -71,3 +71,7 @@ class WorkspaceNotFound(NotFound):
 
 class InsufficientUserWorkspaceRole(TracimException):
     pass
+
+
+class ImmutableAttribute(TracimException):
+    pass

tracim/lib/utils/auth.py

@@ -1,146 +0,0 @@
-# -*- coding: utf-8 -*-
-import typing
-
-from pyramid.interfaces import IAuthorizationPolicy
-from zope.interface import implementer
-
-try:
-    from json.decoder import JSONDecodeError
-except ImportError:  # python3.4
-    JSONDecodeError = ValueError
-from sqlalchemy.orm.exc import NoResultFound
-
-from pyramid.request import Request
-
-from tracim.models.auth import User
-from tracim.models.data import Workspace
-from tracim.lib.core.user import UserApi
-from tracim.lib.core.workspace import WorkspaceApi
-
-from tracim.exceptions import NotAuthentificated
-from tracim.exceptions import WorkspaceNotFound
-from tracim.exceptions import InsufficientUserWorkspaceRole
-BASIC_AUTH_WEBUI_REALM = "tracim"
-TRACIM_DEFAULT_PERM = 'tracim'
-
-
-def get_safe_user(
-        request: Request,
-) -> User:
-    """
-    Get current pyramid authenticated user from request
-    :param request: pyramid request
-    :return: current authenticated user
-    """
-    app_config = request.registry.settings['CFG']
-    uapi = UserApi(None, session=request.dbsession, config=app_config)
-    user = None
-    try:
-        login = request.authenticated_userid
-        if not login:
-            raise NotAuthentificated('not authenticated user_id,'
-                                     'Failed Authentification ?')
-        user = uapi.get_one_by_email(login)
-    except NoResultFound:
-        raise NotAuthentificated('User not found')
-    return user
-
-
-def get_workspace(user: User, request: Request) -> typing.Optional[Workspace]:
-    """
-    Get current workspace from request
-    :param user: User who want to check the workspace
-    :param request: pyramid request
-    :return:
-    """
-    workspace_id = ''
-    try:
-        if 'workspace_id' not in request.json_body:
-            return None
-        workspace_id = request.json_body['workspace_id']
-        wapi = WorkspaceApi(current_user=user, session=request.dbsession)
-        workspace = wapi.get_one(workspace_id)
-    except JSONDecodeError:
-        raise WorkspaceNotFound('Bad json body')
-    except NoResultFound:
-        raise WorkspaceNotFound(
-            'Workspace {} does not exist '
-            'or is not visible for this user'.format(workspace_id)
-        )
-    return workspace
-
-###
-# BASIC AUTH
-###
-
-
-def basic_auth_check_credentials(
-        login: str,
-        cleartext_password: str,
-        request: 'TracimRequest'
-) -> typing.Optional[list]:
-    """
-    Check credential for pyramid basic_auth
-    :param login: login of user
-    :param cleartext_password: user password in cleartext
-    :param request: Pyramid request
-    :return: None if auth failed, list of permissions if auth succeed
-    """
-
-    # Do not accept invalid user
-    user = _get_basic_auth_unsafe_user(request)
-    if not user \
-            or user.email != login \
-            or not user.validate_password(cleartext_password):
-        return None
-    return []
-
-
-def _get_basic_auth_unsafe_user(
-    request: Request,
-) -> typing.Optional[User]:
-    """
-    :param request: pyramid request
-    :return: User or None
-    """
-    app_config = request.registry.settings['CFG']
-    uapi = UserApi(None, session=request.dbsession, config=app_config)
-    try:
-        login = request.unauthenticated_userid
-        if not login:
-            return None
-        user = uapi.get_one_by_email(login)
-    except NoResultFound:
-        return None
-    return user
-
-####
-
-
-def require_workspace_role(minimal_required_role):
-    def decorator(func):
-
-        def wrapper(self, request: 'TracimRequest'):
-            user = request.current_user
-            workspace = request.current_workspace
-            if workspace.get_user_role(user) >= minimal_required_role:
-                return func(self, request)
-            raise InsufficientUserWorkspaceRole()
-
-        return wrapper
-    return decorator
-
-###
-
-
-@implementer(IAuthorizationPolicy)
-class AcceptAllAuthorizationPolicy(object):
-    """
-    Simple AuthorizationPolicy to avoid trouble with pyramid.
-    Acceot any request.
-    """
-    def permits(self, context, principals, permision):
-        return True
-
-    def principals_allowed_by_permission(self, context, permission):
-        raise NotImplementedError()

tracim/lib/utils/authentification.py

@@ -0,0 +1,55 @@
+import typing
+
+from pyramid.request import Request
+from sqlalchemy.orm.exc import NoResultFound
+
+from tracim import TracimRequest
+from tracim.lib.core.user import UserApi
+from tracim.models import User
+
+BASIC_AUTH_WEBUI_REALM = "tracim"
+
+
+###
+# Pyramid HTTP Basic Auth
+###
+
+def basic_auth_check_credentials(
+        login: str,
+        cleartext_password: str,
+        request: TracimRequest
+) -> typing.Optional[list]:
+    """
+    Check credential for pyramid basic_auth
+    :param login: login of user
+    :param cleartext_password: user password in cleartext
+    :param request: Pyramid request
+    :return: None if auth failed, list of permissions if auth succeed
+    """
+
+    # Do not accept invalid user
+    user = _get_basic_auth_unsafe_user(request)
+    if not user \
+            or user.email != login \
+            or not user.validate_password(cleartext_password):
+        return None
+    return []
+
+
+def _get_basic_auth_unsafe_user(
+    request: Request,
+) -> typing.Optional[User]:
+    """
+    :param request: pyramid request
+    :return: User or None
+    """
+    app_config = request.registry.settings['CFG']
+    uapi = UserApi(None, session=request.dbsession, config=app_config)
+    try:
+        login = request.unauthenticated_userid
+        if not login:
+            return None
+        user = uapi.get_one_by_email(login)
+    except NoResultFound:
+        return None
+    return user

tracim/lib/utils/authorization.py

@@ -0,0 +1,62 @@
+# -*- coding: utf-8 -*-
+from typing import TYPE_CHECKING
+
+from pyramid.interfaces import IAuthorizationPolicy
+from zope.interface import implementer
+try:
+    from json.decoder import JSONDecodeError
+except ImportError:  # python3.4
+    JSONDecodeError = ValueError
+
+from tracim.exceptions import InsufficientUserWorkspaceRole
+if TYPE_CHECKING:
+    from tracim import TracimRequest
+###
+# Pyramid default permission/authorization mecanism
+
+# INFO - G.M - 12-04-2018 - Setiing a Default permission on view is
+#  needed to activate AuthentificationPolicy and
+# AuthorizationPolicy on pyramid request
+TRACIM_DEFAULT_PERM = 'tracim'
+
+
+@implementer(IAuthorizationPolicy)
+class AcceptAllAuthorizationPolicy(object):
+    """
+    Empty AuthorizationPolicy : Allow all request. As Pyramid need
+    a Authorization policy when we use AuthentificationPolicy, this
+    class permit use to disable pyramid authorization mecanism with
+    working a AuthentificationPolicy.
+    """
+    def permits(self, context, principals, permision):
+        return True
+
+    def principals_allowed_by_permission(self, context, permission):
+        raise NotImplementedError()
+
+###
+# Authorization decorators for views
+
+# INFO - G.M - 12-04-2018
+# Instead of relying on pyramid authorization mecanism
+# We prefer to use decorators
+
+
+def require_workspace_role(minimal_required_role):
+    """
+    Decorator for view to restrict access of tracim request if role
+    is not high enough
+    :param minimal_required_role:
+    :return:
+    """
+    def decorator(func):
+
+        def wrapper(self, request: 'TracimRequest'):
+            user = request.current_user
+            workspace = request.current_workspace
+            if workspace.get_user_role(user) >= minimal_required_role:
+                return func(self, request)
+            raise InsufficientUserWorkspaceRole()
+
+        return wrapper
+    return decorator

tracim/lib/utils/request.py

@@ -1,15 +1,22 @@
-from contextlib import contextmanager
-
-from pyramid.decorator import reify
+import typing
 from pyramid.request import Request
+from sqlalchemy.orm.exc import NoResultFound
+
+from tracim.exceptions import NotAuthentificated
+from tracim.exceptions import WorkspaceNotFound
+from tracim.exceptions import ImmutableAttribute
+from tracim.lib.core.user import UserApi
+from tracim.lib.core.workspace import WorkspaceApi
+from tracim.lib.utils.authorization import JSONDecodeError
 
 from tracim.models import User
 from tracim.models.data import Workspace
-from tracim.lib.utils.auth import get_safe_user
-from tracim.lib.utils.auth import get_workspace
 
 
 class TracimRequest(Request):
+    """
+    Request with tracim specific params/methods
+    """
     def __init__(
             self,
             environ,
@@ -30,13 +37,27 @@ class TracimRequest(Request):
 
     @property
     def current_workspace(self) -> Workspace:
+        """
+        Get current workspace of the request according to authentification and
+        request headers (to retrieve workspace). Setted by default value the
+        first time if not configured.
+        :return: Workspace of the request
+        """
         if self._current_workspace is None:
             self.current_workspace = get_workspace(self.current_user, self)
         return self._current_workspace
 
     @current_workspace.setter
     def current_workspace(self, workspace: Workspace) -> None:
-        assert self._current_workspace is None
+        """
+        Setting current_workspace
+        :param workspace:
+        :return:
+        """
+        if self._current_workspace is not None:
+            raise ImmutableAttribute(
+                "Can't modify already setted current_workspace"
+            )
         self._current_workspace = workspace
 
     @property
@@ -47,5 +68,60 @@ class TracimRequest(Request):
 
     @current_user.setter
     def current_user(self, user: User) -> None:
-        assert self._current_user is None
+        if self._current_user is not None:
+            raise ImmutableAttribute(
+                "Can't modify already setted current_user"
+            )
         self._current_user = user
+
+
+###
+# Utils for TracimRequest
+###
+
+def get_safe_user(
+        request: TracimRequest,
+) -> User:
+    """
+    Get current pyramid authenticated user from request
+    :param request: pyramid request
+    :return: current authenticated user
+    """
+    app_config = request.registry.settings['CFG']
+    uapi = UserApi(None, session=request.dbsession, config=app_config)
+    try:
+        login = request.authenticated_userid
+        if not login:
+            raise NotAuthentificated('not authenticated user_id,'
+                                     'Failed Authentification ?')
+        user = uapi.get_one_by_email(login)
+    except NoResultFound:
+        raise NotAuthentificated('User not found')
+    return user
+
+
+def get_workspace(
+        user: User,
+        request: TracimRequest
+) -> Workspace:
+    """
+    Get current workspace from request
+    :param user: User who want to check the workspace
+    :param request: pyramid request
+    :return: current workspace
+    """
+    workspace_id = ''
+    try:
+        if 'workspace_id' not in request.json_body:
+            raise WorkspaceNotFound('No workspace_id param in json body')
+        workspace_id = request.json_body['workspace_id']
+        wapi = WorkspaceApi(current_user=user, session=request.dbsession)
+        workspace = wapi.get_one(workspace_id)
+    except JSONDecodeError:
+        raise WorkspaceNotFound('Bad json body')
+    except NoResultFound:
+        raise WorkspaceNotFound(
+            'Workspace {} does not exist '
+            'or is not visible for this user'.format(workspace_id)
+        )
+    return workspace

tracim/views/default/default_controller.py

@@ -1,6 +1,7 @@
 # coding=utf-8
 from pyramid.request import Request
 
+from tracim import TracimRequest
 from tracim.models.data import UserRoleInWorkspace
 from tracim.views.controllers import Controller
 from pyramid.config import Configurator
@@ -10,7 +11,7 @@ from pyramid.httpexceptions import HTTPUnauthorized
 from pyramid.httpexceptions import HTTPForbidden
 from pyramid.security import forget, authenticated_userid
 
-from tracim.lib.utils.auth import require_workspace_role
+from tracim.lib.utils.authorization import require_workspace_role
 
 
 class DefaultController(Controller):
@@ -31,12 +32,10 @@ class DefaultController(Controller):
 
     # TODO - G.M - 10-04-2018 - [cleanup][tempExample] - Drop this method
     @require_workspace_role(UserRoleInWorkspace.READER)
-    def test_config(self, request: Request):
-        try:
-            app_config = request.registry.settings['CFG']
-            project = app_config.WEBSITE_TITLE
-        except Exception as e:
-            return Response(e, content_type='text/plain', status=500)
+    def test_config(self, request: TracimRequest):
+        app_config = request.registry.settings['CFG']
+        project = app_config.WEBSITE_TITLE
+        request.current_user = "lapin"
         return {'project': project}
 
     # TODO - G.M - 10-04-2018 - [cleanup][tempExample] - Drop this method